Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Finerede.exe

Overview

General Information

Sample name:Finerede.exe
Analysis ID:1619370
MD5:014bc822578f34fccd7b3c5d4b0cf7f3
SHA1:54a99f4294371524fc35e3759c1ce581743291d1
SHA256:1b275e46dfcc1e187a0826c1e5c8eab33561445b48556db2aba49cdbe4470790
Tags:exeguloadervipkeyloggeruser-malwarelabnet
Infos:

Detection

GuLoader, Snake Keylogger
Score:92
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
AI detected suspicious PE digital signature
Creates a thread in another existing process (thread injection)
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
One or more processes crash
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Finerede.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\Finerede.exe" MD5: 014BC822578F34FCCD7B3C5D4B0CF7F3)
    • MpCmdRun.exe (PID: 7644 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Finerede.exe (PID: 7644 cmdline: "C:\Users\user\Desktop\Finerede.exe" MD5: 014BC822578F34FCCD7B3C5D4B0CF7F3)
      • WerFault.exe (PID: 1820 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7644 -s 2548 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Username": "dalila.russo@novacitacor.pt", "Password": "#Novasystem123#", "Host": "mail.novacitacor.pt", "Port": "587", "Token": "7502066508:AAGz5-yl79jZ7Tfefk024IrMFNLc6CGJF4I", "Chat_id": "6978326966", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.4311535337.0000000036261000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000000.00000002.4046864846.00000000034A4000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-02-19T20:39:08.718277+010028032702Potentially Bad Traffic192.168.2.450003142.250.184.206443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Found malware configuration
      Source: 00000005.00000002.4311535337.0000000036261000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "dalila.russo@novacitacor.pt", "Password": "#Novasystem123#", "Host": "mail.novacitacor.pt", "Port": "587", "Token": "7502066508:AAGz5-yl79jZ7Tfefk024IrMFNLc6CGJF4I", "Chat_id": "6978326966", "Version": "4.4"}
      Multi AV Scanner detection for submitted file
      Source: Finerede.exeVirustotal: Detection: 62%Perma Link
      Source: Finerede.exeReversingLabs: Detection: 47%
      Joe Sandbox ML detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Source: Finerede.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:50003 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.4:50004 version: TLS 1.2
      Source: Binary string: 78%%.pdb source: Finerede.exe, 00000005.00000002.4311279593.0000000036037000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbd source: Finerede.exe, 00000005.00000002.4291353397.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Finerede.exe, 00000005.00000002.4311974564.0000000038376000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Xml.ni.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.ni.pdbRSDS source: WERA169.tmp.dmp.8.dr
      Source: Binary string: C:\Users\user\Desktop\Finerede.PDBD{ source: Finerede.exe, 00000005.00000002.4311279593.0000000036037000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: <8pc88C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Finerede.exe, 00000005.00000002.4291353397.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Configuration.pdb8S source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.Configuration.ni.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: mscorlib.ni.pdbRSDS source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.Configuration.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.Windows.Forms.pdb` source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.Xml.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: m0C:\Windows\mscorlib.pdb source: Finerede.exe, 00000005.00000002.4311279593.0000000036037000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: System.Xml.ni.pdbRSDS# source: WERA169.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Users\user\Desktop\Finerede.PDBh7 source: Finerede.exe, 00000005.00000002.4311974564.0000000038376000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.ni.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: Microsoft.VisualBasic.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.Windows.Forms.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: mscorlib.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Finerede.exe, 00000005.00000002.4311974564.0000000038376000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbH source: WERA169.tmp.dmp.8.dr
      Source: Binary string: mscorlib.ni.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.Core.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbq source: Finerede.exe, 00000005.00000002.4311974564.0000000038376000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.ni.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.Core.ni.pdbRSDS source: WERA169.tmp.dmp.8.dr
      Source: C:\Users\user\Desktop\Finerede.exeDirectory queried: number of queries: 1001
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 0_2_00402706 FindFirstFileW,0_2_00402706
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 0_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405731
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 0_2_004061E5 FindFirstFileW,FindClose,0_2_004061E5
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 5_2_00402706 FindFirstFileW,5_2_00402706
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 5_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,5_2_00405731
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 5_2_004061E5 FindFirstFileW,FindClose,5_2_004061E5
      Source: C:\Users\user\Desktop\Finerede.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpiticalJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Autos111\Puggiest\Conjugationally\CounterdifficultyJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Autos111\Puggiest\ConjugationallyJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Jump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Autos111\PuggiestJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Autos111Jump to behavior
      Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: unknownDNS query: name: checkip.dyndns.org
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50003 -> 142.250.184.206:443
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1JMfSWGRn_d-7Tmej0eDkFVYJRsHh1isz HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1JMfSWGRn_d-7Tmej0eDkFVYJRsHh1isz&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1JMfSWGRn_d-7Tmej0eDkFVYJRsHh1isz HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1JMfSWGRn_d-7Tmej0eDkFVYJRsHh1isz&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: drive.google.com
      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
      Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
      Source: Finerede.exe, 00000005.00000002.4311535337.0000000036261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
      Source: Finerede.exe, 00000005.00000002.4311535337.0000000036261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
      Source: Finerede.exe, 00000005.00000002.4311535337.000000003631B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
      Source: Finerede.exe, 00000005.00000002.4311535337.000000003631B000.00000004.00000800.00020000.00000000.sdmp, Finerede.exe, 00000005.00000002.4311535337.000000003630B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
      Source: Finerede.exe, 00000005.00000002.4311974564.0000000038376000.00000004.00000020.00020000.00000000.sdmp, Finerede.exe, 00000005.00000002.4311535337.0000000036261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
      Source: Finerede.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: Finerede.exe, 00000005.00000002.4311535337.0000000036261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: Finerede.exe, 00000005.00000002.4311535337.0000000036261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
      Source: Finerede.exe, 00000005.00000003.4122577287.0000000005D89000.00000004.00000020.00020000.00000000.sdmp, Finerede.exe, 00000005.00000003.4122518512.0000000005D89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
      Source: Finerede.exe, 00000005.00000002.4291353397.0000000005D18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
      Source: Finerede.exe, 00000005.00000002.4291353397.0000000005D18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/V
      Source: Finerede.exe, 00000005.00000002.4291353397.0000000005D53000.00000004.00000020.00020000.00000000.sdmp, Finerede.exe, 00000005.00000002.4310483291.00000000353E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1JMfSWGRn_d-7Tmej0eDkFVYJRsHh1isz
      Source: Finerede.exe, 00000005.00000002.4291353397.0000000005D18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1JMfSWGRn_d-7Tmej0eDkFVYJRsHh1isz3ZI
      Source: Finerede.exe, 00000005.00000002.4291353397.0000000005D18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1JMfSWGRn_d-7Tmej0eDkFVYJRsHh1isz?
      Source: Finerede.exe, 00000005.00000002.4291353397.0000000005D81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
      Source: Finerede.exe, 00000005.00000002.4291353397.0000000005D81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/ELzc
      Source: Finerede.exe, 00000005.00000003.4122577287.0000000005D89000.00000004.00000020.00020000.00000000.sdmp, Finerede.exe, 00000005.00000003.4122518512.0000000005D89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1JMfSWGRn_d-7Tmej0eDkFVYJRsHh1isz&export=download
      Source: Finerede.exe, 00000005.00000002.4291353397.0000000005D71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1JMfSWGRn_d-7Tmej0eDkFVYJRsHh1isz&export=downloadld
      Source: Finerede.exe, 00000005.00000002.4291353397.0000000005D5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1JMfSWGRn_d-7Tmej0eDkFVYJRsHh1isz&export=downloadxd
      Source: Finerede.exe, 00000005.00000002.4291353397.0000000005D71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
      Source: Finerede.exe, 00000005.00000002.4291353397.0000000005D71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
      Source: Finerede.exe, 00000005.00000002.4291353397.0000000005D71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: Finerede.exe, 00000005.00000002.4291353397.0000000005D71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
      Source: Finerede.exe, 00000005.00000002.4291353397.0000000005D71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
      Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:50003 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.4:50004 version: TLS 1.2
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 0_2_00405295 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405295
      Source: C:\Users\user\Desktop\Finerede.exeProcess Stats: CPU usage > 49%
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 0_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess,0_2_0040331C
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 5_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess,5_2_0040331C
      Source: C:\Users\user\Desktop\Finerede.exeFile created: C:\Windows\resources\0809Jump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 0_2_00404AD20_2_00404AD2
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 0_2_004064F70_2_004064F7
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 5_2_00404AD25_2_00404AD2
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 5_2_004064F75_2_004064F7
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 5_2_05A93E095_2_05A93E09
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 5_2_05A929EC5_2_05A929EC
      Source: C:\Users\user\Desktop\Finerede.exeCode function: String function: 00402AD0 appears 51 times
      Source: C:\Users\user\Desktop\Finerede.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7644 -s 2548
      Source: Finerede.exeStatic PE information: invalid certificate
      Source: Finerede.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal92.troj.evad.winEXE@6/21@3/3
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 0_2_0040458C GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_0040458C
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 0_2_0040206A LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,0_2_0040206A
      Source: C:\Users\user\Desktop\Finerede.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierministerJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7652:120:WilError_03
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7644
      Source: C:\Users\user\Desktop\Finerede.exeFile created: C:\Users\user\AppData\Local\Temp\nsrFD57.tmpJump to behavior
      Source: Finerede.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Finerede.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Finerede.exeVirustotal: Detection: 62%
      Source: Finerede.exeReversingLabs: Detection: 47%
      Source: C:\Users\user\Desktop\Finerede.exeFile read: C:\Users\user\Desktop\Finerede.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Finerede.exe "C:\Users\user\Desktop\Finerede.exe"
      Source: C:\Users\user\Desktop\Finerede.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Finerede.exeProcess created: C:\Users\user\Desktop\Finerede.exe "C:\Users\user\Desktop\Finerede.exe"
      Source: C:\Users\user\Desktop\Finerede.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7644 -s 2548
      Source: C:\Users\user\Desktop\Finerede.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: stempelpudernes.lnk.0.drLNK file: ..\Pictures\muringerne\giggliest.pha
      Source: dinosaurusserne.lnk.0.drLNK file: ..\..\..\..\Users\Public\Pictures\eksistensberettigelsen.pre
      Source: C:\Users\user\Desktop\Finerede.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: 78%%.pdb source: Finerede.exe, 00000005.00000002.4311279593.0000000036037000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbd source: Finerede.exe, 00000005.00000002.4291353397.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Finerede.exe, 00000005.00000002.4311974564.0000000038376000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Xml.ni.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.ni.pdbRSDS source: WERA169.tmp.dmp.8.dr
      Source: Binary string: C:\Users\user\Desktop\Finerede.PDBD{ source: Finerede.exe, 00000005.00000002.4311279593.0000000036037000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: <8pc88C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Finerede.exe, 00000005.00000002.4291353397.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Configuration.pdb8S source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.Configuration.ni.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: mscorlib.ni.pdbRSDS source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.Configuration.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.Windows.Forms.pdb` source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.Xml.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: m0C:\Windows\mscorlib.pdb source: Finerede.exe, 00000005.00000002.4311279593.0000000036037000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: System.Xml.ni.pdbRSDS# source: WERA169.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Users\user\Desktop\Finerede.PDBh7 source: Finerede.exe, 00000005.00000002.4311974564.0000000038376000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.ni.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: Microsoft.VisualBasic.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.Windows.Forms.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: mscorlib.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Finerede.exe, 00000005.00000002.4311974564.0000000038376000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbH source: WERA169.tmp.dmp.8.dr
      Source: Binary string: mscorlib.ni.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.Core.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbq source: Finerede.exe, 00000005.00000002.4311974564.0000000038376000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.ni.pdb source: WERA169.tmp.dmp.8.dr
      Source: Binary string: System.Core.ni.pdbRSDS source: WERA169.tmp.dmp.8.dr

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000000.00000002.4046864846.00000000034A4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 0_2_0040620C GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0040620C
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 0_2_10002D50 push eax; ret 0_2_10002D7E

      Persistence and Installation Behavior

      barindex
      AI detected suspicious PE digital signature
      Source: Initial sampleJoe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate (issuer same as subject) which is not trusted by the system. 2) Organization 'Badmitonens' is not a known legitimate company. 3) Email domain 'Praedialist.Ud' appears suspicious and non-standard. 4) The OU field contains strange terms 'Antichlorine Pudding Nonstructural' that seem randomly generated. 5) Large time gap between compilation date (2013) and certificate dates (2025-2026) suggests possible timestamp manipulation. 6) While the country (FR) is not inherently suspicious, the combination with other factors suggests this could be a fake location. The certificate appears designed to masquerade as legitimate while containing multiple red flags typical of malware.
      Source: C:\Users\user\Desktop\Finerede.exeFile created: C:\Users\user\AppData\Local\Temp\nsu374.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\Finerede.exeAPI/Special instruction interceptor: Address: 39E9AA3
      Source: C:\Users\user\Desktop\Finerede.exeAPI/Special instruction interceptor: Address: 1D99AA3
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\Desktop\Finerede.exeRDTSC instruction interceptor: First address: 39C180B second address: 39C180B instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F74B44F4FCAh 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
      Source: C:\Users\user\Desktop\Finerede.exeRDTSC instruction interceptor: First address: 1D7180B second address: 1D7180B instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F74B4C5D66Ah 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
      Source: C:\Users\user\Desktop\Finerede.exeMemory allocated: 5A50000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeMemory allocated: 36260000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeMemory allocated: 361B0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsu374.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 0_2_00402706 FindFirstFileW,0_2_00402706
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 0_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405731
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 0_2_004061E5 FindFirstFileW,FindClose,0_2_004061E5
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 5_2_00402706 FindFirstFileW,5_2_00402706
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 5_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,5_2_00405731
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 5_2_004061E5 FindFirstFileW,FindClose,5_2_004061E5
      Source: C:\Users\user\Desktop\Finerede.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpiticalJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Autos111\Puggiest\Conjugationally\CounterdifficultyJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Autos111\Puggiest\ConjugationallyJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Jump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Autos111\PuggiestJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Autos111Jump to behavior
      Source: Finerede.exe, 00000005.00000002.4291353397.0000000005D18000.00000004.00000020.00020000.00000000.sdmp, Finerede.exe, 00000005.00000002.4291353397.0000000005D71000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Users\user\Desktop\Finerede.exeAPI call chain: ExitProcess graph end nodegraph_0-4474
      Source: C:\Users\user\Desktop\Finerede.exeAPI call chain: ExitProcess graph end nodegraph_0-4472
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 0_2_00402D52 GetTempPathW,GetTickCount,GetModuleFileNameW,GetFileSize,LdrInitializeThunk,GlobalAlloc,CreateFileW,LdrInitializeThunk,0_2_00402D52
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 0_2_0040620C GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0040620C
      Source: C:\Users\user\Desktop\Finerede.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Creates a thread in another existing process (thread injection)
      Source: C:\Users\user\Desktop\Finerede.exeThread created: C:\Program Files\Windows Defender\MpCmdRun.exe EIP: 1D716AFJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeQueries volume information: C:\Users\user\Desktop\Finerede.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Finerede.exeCode function: 0_2_00405EC4 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00405EC4
      Source: C:\Users\user\Desktop\Finerede.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
      Source: C:\Users\user\Desktop\Finerede.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
      Source: C:\Users\user\Desktop\Finerede.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Yara detected Snake Keylogger
      Source: Yara matchFile source: 00000005.00000002.4311535337.0000000036261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\Finerede.exeDirectory queried: number of queries: 1001

      Remote Access Functionality

      barindex
      Yara detected Snake Keylogger
      Source: Yara matchFile source: 00000005.00000002.4311535337.0000000036261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation      		1
      DLL Side-Loading      		111
      Process Injection      		11
      Masquerading      		OS Credential Dumping211
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Native API      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		1
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol1
      Clipboard Data      		1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      Disable or Modify Tools      		Security Account Manager1
      System Network Configuration Discovery      		SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
      Process Injection      		NTDS13
      File and Directory Discovery      		Distributed Component Object ModelInput Capture13
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA Secrets214
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
      Obfuscated Files or Information      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.