Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:Setup.exe
Analysis ID:1628820
MD5:0defd57c9047c2c1312a07e9fe0a3fc5
SHA1:81ee5b6239a5185a8bb2a8a25a95df5483511d1b
SHA256:274380302569ea97c66208f53d92d521a1c601e1f6d4bfa4ad093bae8f5a1498
Tags:exeuser-skocherhan
Infos:

Detection

AveMaria, Clipboard Hijacker, StormKitty
Score:62
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AveMaria stealer
Yara detected Clipboard Hijacker
Yara detected StormKitty Stealer
Check if machine is in data center or colocation facility
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Setup.exe (PID: 7812 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 0DEFD57C9047C2C1312A07E9FE0A3FC5)
    • Cheat.exe (PID: 1772 cmdline: "C:\Program Files (x86)\Developer ltd\cheats\Cheat.exe" MD5: CE0241AABFFB5E51E1C5C21FD74F5A76)
      • conhost.exe (PID: 6340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5420 cmdline: C:\Windows\system32\cmd.exe /c C:\HiddenFolder\reset.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • reset.exe (PID: 6884 cmdline: C:\HiddenFolder\reset.exe MD5: 6A5F3230A1256C3A71744CAEDF7D92C8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Ave Maria, AveMariaRAT, avemariaInformation stealer which uses AutoIT for wrapping.
  • Anunak
https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria
NameDescriptionAttributionBlogpost URLsLink
Cameleon, StormKittyPWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\reset[1].exeMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
  • 0x45a28:$x2: https://github.com/LimerBoy/StormKitty
  • 0x44875:$x3: StormKitty
  • 0x453c1:$x3: StormKitty
  • 0x45a18:$x3: StormKitty
  • 0x45a44:$x3: StormKitty
C:\HiddenFolder\reset.exeMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
  • 0x45a28:$x2: https://github.com/LimerBoy/StormKitty
  • 0x44875:$x3: StormKitty
  • 0x453c1:$x3: StormKitty
  • 0x45a18:$x3: StormKitty
  • 0x45a44:$x3: StormKitty

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3881372092.0000000001860000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
  • 0x671f9:$x2: https://github.com/LimerBoy/StormKitty
  • 0x23ac:$x3: StormKitty
  • 0x65338:$x3: StormKitty
  • 0x671e9:$x3: StormKitty
  • 0x67215:$x3: StormKitty
00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_StormKittyYara detected StormKitty StealerJoe Security
    00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Clipboard_Hijacker_4Yara detected Clipboard HijackerJoe Security
        00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          Click to see the 6 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.reset.exe.1860000.1.raw.unpackMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
          • 0x671f9:$x2: https://github.com/LimerBoy/StormKitty
          • 0x23ac:$x3: StormKitty
          • 0x65338:$x3: StormKitty
          • 0x671e9:$x3: StormKitty
          • 0x67215:$x3: StormKitty
          5.0.reset.exe.e90000.0.unpackMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
          • 0x45a28:$x2: https://github.com/LimerBoy/StormKitty
          • 0x44875:$x3: StormKitty
          • 0x453c1:$x3: StormKitty
          • 0x45a18:$x3: StormKitty
          • 0x45a44:$x3: StormKitty
          5.2.reset.exe.1860000.1.unpackMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
          • 0x643f9:$x2: https://github.com/LimerBoy/StormKitty
          • 0x5ac:$x3: StormKitty
          • 0x62538:$x3: StormKitty
          • 0x643e9:$x3: StormKitty
          • 0x64415:$x3: StormKitty

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-04T06:37:36.650085+010020449651A Network Trojan was detected192.168.2.849711185.199.110.133443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-04T06:37:36.650085+010028033053Unknown Traffic192.168.2.849711185.199.110.133443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\reset[1].exeAvira: detection malicious, Label: HEUR/AGEN.1313099
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeAvira: detection malicious, Label: HEUR/AGEN.1317776
          Source: C:\HiddenFolder\reset.exeAvira: detection malicious, Label: HEUR/AGEN.1313099
          Multi AV Scanner detection for dropped file
          Source: C:\HiddenFolder\reset.exeReversingLabs: Detection: 71%
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeReversingLabs: Detection: 29%
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\reset[1].exeReversingLabs: Detection: 71%
          Multi AV Scanner detection for submitted file
          Source: Setup.exeReversingLabs: Detection: 28%
          Source: Setup.exeVirustotal: Detection: 51%Perma Link
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: reset.exe PID: 6884, type: MEMORYSTR
          Joe Sandbox ML detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.6% probability
          Source: Setup.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
          Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.8:49706 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49707 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49710 version: TLS 1.2
          Source: Binary string: C:\Users\shurup\source\repos\ConsoleApplication4\Release\Reset.pdb source: Cheat.exe, 00000001.00000000.1486019745.00000000000E1000.00000002.00000001.01000000.00000006.sdmp, Cheat.exe, 00000001.00000002.3874808994.00000000000E1000.00000002.00000001.01000000.00000006.sdmp, Cheat.exe.0.dr
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeCode function: 1_2_000D7E0A FindFirstFileExW,1_2_000D7E0A

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2044965 - Severity 1 - ET MALWARE StormKitty Download Request With Minimal Headers : 192.168.2.8:49711 -> 185.199.110.133:443
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.com
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
          Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
          Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownDNS query: name: ip-api.com
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49711 -> 185.199.110.133:443
          Source: global trafficHTTP traffic detected: GET /shram88/reset/raw/main/reset.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: github.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /shram88/reset/main/reset.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: raw.githubusercontent.com
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeCode function: 1_2_000D1150 std::_Xinvalid_argument,CreateDirectoryW,SetFileAttributesW,URLDownloadToFileW,1_2_000D1150
          Source: global trafficHTTP traffic detected: GET /shram88/reset/raw/main/reset.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: github.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /shram88/reset/main/reset.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: raw.githubusercontent.com
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.com
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: github.com
          Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
          Source: global trafficDNS traffic detected: DNS query: ip-api.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 67C0:29F3E0:153AB6:1C1F85:67C6919CAccept-Ranges: bytesDate: Tue, 04 Mar 2025 05:37:34 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740028-EWRX-Cache: MISSX-Cache-Hits: 0X-Timer: S1741066654.002390,VS0,VE9Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 6c23a472d2d4d432a9f2e8285e6b86093cc3d9f0Expires: Tue, 04 Mar 2025 05:42:34 GMTSource-Age: 0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 67C0:29F3E0:153AB6:1C1F85:67C6919CAccept-Ranges: bytesDate: Tue, 04 Mar 2025 05:37:36 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740056-EWRX-Cache: HITX-Cache-Hits: 1X-Timer: S1741066657.603751,VS0,VE1Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 32edbd95d22b75854f6457a488670f62709a33e2Expires: Tue, 04 Mar 2025 05:42:36 GMTSource-Age: 3
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 67C0:29F3E0:153AB6:1C1F85:67C6919CAccept-Ranges: bytesDate: Tue, 04 Mar 2025 05:37:39 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740053-EWRX-Cache: HITX-Cache-Hits: 1X-Timer: S1741066659.271763,VS0,VE1Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 00f3bb406cfa31dfb7baee7e01b8937c1e2dc2d3Expires: Tue, 04 Mar 2025 05:42:39 GMTSource-Age: 5
          Source: Setup.exeString found in binary or memory: http://developee.com/
          Source: Setup.exeString found in binary or memory: http://developee.com/83886080cheats000100cheats1cheats
          Source: reset.exe, 00000005.00000002.3886205797.0000000004628000.00000004.00000800.00020000.00000000.sdmp, reset.exe, 00000005.00000002.3886205797.00000000046B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
          Source: reset.exe, 00000005.00000002.3886205797.0000000004628000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=h
          Source: reset.exe, 00000005.00000002.3886205797.0000000004628000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
          Source: reset.exe, 00000005.00000002.3892947727.000000001EFEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co%
          Source: reset.exe, 00000005.00000002.3886205797.0000000004776000.00000004.00000800.00020000.00000000.sdmp, reset.exe, 00000005.00000002.3886205797.00000000047C7000.00000004.00000800.00020000.00000000.sdmp, reset.exe, 00000005.00000002.3886205797.0000000004755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
          Source: reset.exe, 00000005.00000002.3886205797.0000000004628000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: simsetup.exe.0.drString found in binary or memory: http://www.sminstall.com/
          Source: simsetup.exe.0.drString found in binary or memory: http://www.sminstall.com/83886080Smart
          Source: simsetup.exe.0.drString found in binary or memory: http://www.sminstall.com/support.html
          Source: simsetup.exe.0.drString found in binary or memory: http://www.sminstall.com/support.html10011111101255405401SOFTWARE
          Source: simsetup.exe.0.drString found in binary or memory: http://www.sminstall.com/uninstall.html
          Source: simsetup.exe.0.drString found in binary or memory: http://www.sminstall.com/uninstall.htmlSmart
          Source: Cheat.exe, 00000001.00000003.2831837445.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.2831956357.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000002.3880264173.0000000000F97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/
          Source: reset.exe.1.drString found in binary or memory: https://github.com/LimerBoy/StormKitty
          Source: Cheat.exe, 00000001.00000002.3876208796.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.2831956357.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000002.3880264173.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000002.3874808994.00000000000E1000.00000002.00000001.01000000.00000006.sdmp, Cheat.exe.0.drString found in binary or memory: https://github.com/shram88/reset/raw/main/reset.exe
          Source: Cheat.exe, 00000001.00000003.2831837445.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.2831956357.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000002.3880264173.0000000000F97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/shram88/reset/raw/main/reset.exeh
          Source: Cheat.exe, 00000001.00000003.2831837445.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.2831956357.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000002.3880264173.0000000000F97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com2
          Source: reset.exe, 00000005.00000002.3886205797.0000000004776000.00000004.00000800.00020000.00000000.sdmp, reset.exe, 00000005.00000002.3886205797.00000000047C7000.00000004.00000800.00020000.00000000.sdmp, reset.exe, 00000005.00000002.3886205797.0000000004741000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
          Source: Cheat.exe, 00000001.00000003.1532799009.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.2832004929.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.1543731983.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.1544014471.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000002.3880469086.0000000000FC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/
          Source: Cheat.exe, 00000001.00000003.1532799009.0000000000FC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/=
          Source: reset.exe, 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.
          Source: reset.exe, 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13
          Source: Cheat.exe, 00000001.00000003.1532799009.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.2832004929.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.1543731983.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.1544014471.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000002.3880469086.0000000000FC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/k
          Source: Cheat.exe, 00000001.00000003.2831956357.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000002.3880469086.0000000000FC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/shram88/reset/main/reset.exe
          Source: Cheat.exe, 00000001.00000003.1533008021.0000000000FFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/shram88/reset/main/reset.exe$
          Source: Cheat.exe, 00000001.00000002.3880264173.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.2831956357.0000000000FAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/shram88/reset/main/reset.exe&
          Source: Cheat.exe, 00000001.00000002.3880264173.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.2831956357.0000000000FAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/shram88/reset/main/reset.exe6
          Source: Cheat.exe, 00000001.00000003.2832004929.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.1543731983.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.1544014471.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000002.3880469086.0000000000FC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/shram88/reset/main/reset.exeC:
          Source: Cheat.exe, 00000001.00000003.2831837445.0000000000F77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/shram88/reset/main/reset.exeSSC:
          Source: Cheat.exe, 00000001.00000003.2832004929.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.1543731983.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.1544014471.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000002.3880469086.0000000000FC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/shram88/reset/main/reset.exeYc
          Source: Cheat.exe, 00000001.00000003.1533008021.0000000000FFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/shram88/reset/main/reset.exem/shram88/reset/main/reset.exe
          Source: Cheat.exe, 00000001.00000002.3880264173.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.2831956357.0000000000FAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/shram88/reset/main/reset.exeu
          Source: Cheat.exe, 00000001.00000003.1532799009.0000000000FC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/w
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
          Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.8:49706 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49707 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49710 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: reset.exe PID: 6884, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 5.2.reset.exe.1860000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
          Source: 5.0.reset.exe.e90000.0.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
          Source: 5.2.reset.exe.1860000.1.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
          Source: 00000005.00000002.3881372092.0000000001860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects StormKitty infostealer Author: ditekSHen
          Source: 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
          Source: Process Memory Space: reset.exe PID: 6884, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\reset[1].exe, type: DROPPEDMatched rule: Detects StormKitty infostealer Author: ditekSHen
          Source: C:\HiddenFolder\reset.exe, type: DROPPEDMatched rule: Detects StormKitty infostealer Author: ditekSHen
          Source: C:\HiddenFolder\reset.exeProcess Stats: CPU usage > 49%
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeCode function: 1_2_000DF86D1_2_000DF86D
          Source: C:\HiddenFolder\reset.exeCode function: 5_2_00007FFB4B0676F85_2_00007FFB4B0676F8
          Source: C:\HiddenFolder\reset.exeCode function: 5_2_00007FFB4B06089D5_2_00007FFB4B06089D
          Source: C:\HiddenFolder\reset.exeCode function: 5_2_00007FFB4B0605685_2_00007FFB4B060568
          Source: C:\HiddenFolder\reset.exeCode function: 5_2_00007FFB4B067C8F5_2_00007FFB4B067C8F
          Source: C:\HiddenFolder\reset.exeCode function: 5_2_00007FFB4B067AB35_2_00007FFB4B067AB3
          Source: C:\HiddenFolder\reset.exeCode function: 5_2_00007FFB4B0677895_2_00007FFB4B067789
          Source: C:\HiddenFolder\reset.exeCode function: 5_2_00007FFB4B06EE4F5_2_00007FFB4B06EE4F
          Source: C:\HiddenFolder\reset.exeCode function: 5_2_00007FFB4B06B6615_2_00007FFB4B06B661
          Source: C:\HiddenFolder\reset.exeCode function: 5_2_00007FFB4B068CAE5_2_00007FFB4B068CAE
          Source: C:\HiddenFolder\reset.exeCode function: 5_2_00007FFB4B06B4B55_2_00007FFB4B06B4B5
          Source: C:\HiddenFolder\reset.exeCode function: 5_2_00007FFB4B0678E55_2_00007FFB4B0678E5
          Source: C:\HiddenFolder\reset.exeCode function: 5_2_00007FFB4B0605005_2_00007FFB4B060500
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeCode function: String function: 000D20E0 appears 35 times
          Source: reset.exe.1.drStatic PE information: No import functions for PE file found
          Source: reset[1].exe.1.drStatic PE information: No import functions for PE file found
          Source: Setup.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
          Source: 5.2.reset.exe.1860000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
          Source: 5.0.reset.exe.e90000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
          Source: 5.2.reset.exe.1860000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
          Source: 00000005.00000002.3881372092.0000000001860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
          Source: 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
          Source: Process Memory Space: reset.exe PID: 6884, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\reset[1].exe, type: DROPPEDMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
          Source: C:\HiddenFolder\reset.exe, type: DROPPEDMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
          Source: reset[1].exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: reset.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal62.troj.spyw.evad.winEXE@8/7@3/3
          Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Program Files (x86)\Developer ltdJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\reset[1].exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_03
          Source: C:\HiddenFolder\reset.exeMutant created: NULL
          Source: C:\HiddenFolder\reset.exeMutant created: \Sessions\1\BaseNamedObjects\09B668B429A4BF3829B4833B450D1584
          Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\$instJump to behavior
          Source: C:\HiddenFolder\reset.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\HiddenFolder\reset.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\HiddenFolder\reset.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\HiddenFolder\reset.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Setup.exeReversingLabs: Detection: 28%
          Source: Setup.exeVirustotal: Detection: 51%
          Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\user\Desktop\Setup.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
          Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exe "C:\Program Files (x86)\Developer ltd\cheats\Cheat.exe"
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\HiddenFolder\reset.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\HiddenFolder\reset.exe C:\HiddenFolder\reset.exe
          Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exe "C:\Program Files (x86)\Developer ltd\cheats\Cheat.exe" Jump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\HiddenFolder\reset.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\HiddenFolder\reset.exe C:\HiddenFolder\reset.exeJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: acgenral.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: msacm32.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: msftedit.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.globalization.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: bcp47mrm.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: globinputhost.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: ndfapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: wdi.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: duser.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: atlthunk.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: version.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: wldp.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: amsi.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: userenv.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: profapi.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: rasman.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: secur32.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: schannel.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\HiddenFolder\reset.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\Setup.exeAutomated click: OK
          Source: C:\Users\user\Desktop\Setup.exeAutomated click: OK
          Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Windows\SysWOW64\msftedit.DLLJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\HiddenFolder\reset.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Setup.exeStatic file information: File size 1657063 > 1048576
          Source: Binary string: C:\Users\shurup\source\repos\ConsoleApplication4\Release\Reset.pdb source: Cheat.exe, 00000001.00000000.1486019745.00000000000E1000.00000002.00000001.01000000.00000006.sdmp, Cheat.exe, 00000001.00000002.3874808994.00000000000E1000.00000002.00000001.01000000.00000006.sdmp, Cheat.exe.0.dr
          Source: Setup.exeStatic PE information: real checksum: 0x3b377 should be: 0x198d21
          Source: reset.exe.1.drStatic PE information: real checksum: 0x0 should be: 0x4e7d1
          Source: Cheat.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1aff3
          Source: simsetup.exe.0.drStatic PE information: real checksum: 0x3b377 should be: 0x18f911
          Source: reset[1].exe.1.drStatic PE information: real checksum: 0x0 should be: 0x4e7d1
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021FA210 pushfd ; retn 0040h0_2_021FA211
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021FB43C pushfd ; retn 0040h0_2_021FB43D
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021FBE3C pushfd ; retn 0040h0_2_021FBE3D
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021FC038 pushfd ; retn 0040h0_2_021FC039
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021F7278 pushfd ; retn 0040h0_2_021F7279
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021F9A78 pushfd ; retn 0040h0_2_021F9A79
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021FA478 pushfd ; retn 0040h0_2_021FA479
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021FAC6C pushfd ; retn 0040h0_2_021FAC6D
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021FCC60 pushfd ; retn 0040h0_2_021FCC61
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021F7A90 pushfd ; retn 0040h0_2_021F7A91
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021FAED4 pushfd ; retn 0040h0_2_021FAED5
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021F9CF0 pushfd ; retn 0040h0_2_021F9CF1
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021FC8E8 pushad ; retf 0_2_021FC8E9
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021F9534 pushfd ; retn 0040h0_2_021F9535
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021F7560 pushfd ; retn 0040h0_2_021F7561
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021F8D90 pushfd ; retn 0040h0_2_021F8D91
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021FC790 pushfd ; retn 0040h0_2_021FC791
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021FB1B0 pushfd ; retn 0040h0_2_021FB1B1
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021F97AC pushfd ; retn 0040h0_2_021F97AD
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021F9FA8 pushfd ; retn 0040h0_2_021F9FA9
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021FA7A0 pushfd ; retn 0040h0_2_021FA7A1
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021F6DC0 pushfd ; retn 0040h0_2_021F6DC1
          Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_021FA9F4 pushfd ; retn 0040h0_2_021FA9F5
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeCode function: 1_2_000D2124 push ecx; ret 1_2_000D2136
          Source: reset[1].exe.1.drStatic PE information: section name: .text entropy: 7.986615672208267
          Source: reset.exe.1.drStatic PE information: section name: .text entropy: 7.986615672208267
          Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeJump to dropped file
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\reset[1].exeJump to dropped file
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeFile created: C:\HiddenFolder\reset.exeJump to dropped file
          Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Program Files (x86)\Developer ltd\cheats\simsetup.exeJump to dropped file
          Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Check if machine is in data center or colocation facility
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
          Source: C:\HiddenFolder\reset.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Source: C:\HiddenFolder\reset.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Source: C:\HiddenFolder\reset.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Source: C:\HiddenFolder\reset.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Source: C:\HiddenFolder\reset.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: reset.exe, 00000005.00000002.3886205797.0000000004739000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\HiddenFolder\reset.exeMemory allocated: 1700000 memory reserve | memory write watchJump to behavior
          Source: C:\HiddenFolder\reset.exeMemory allocated: 1C2A0000 memory reserve | memory write watchJump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599890Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599780Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599671Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599562Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599448Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599343Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599234Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599125Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599015Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598906Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598796Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598687Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598578Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598468Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598359Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598249Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598140Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598031Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597921Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597812Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597703Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597593Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597484Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597375Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597265Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597156Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597046Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596937Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596828Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596718Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596609Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596500Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596390Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596281Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596171Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596062Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595953Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595843Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595734Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595625Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595515Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595406Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595296Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595187Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595078Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 594968Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 594859Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 594750Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 594640Jump to behavior
          Source: C:\HiddenFolder\reset.exeWindow / User API: threadDelayed 1301Jump to behavior
          Source: C:\HiddenFolder\reset.exeWindow / User API: threadDelayed 8549Jump to behavior
          Source: C:\Users\user\Desktop\Setup.exeDropped PE file which has not been started: C:\Program Files (x86)\Developer ltd\cheats\simsetup.exeJump to dropped file
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeAPI coverage: 6.4 %
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -23980767295822402s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -600000s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -599890s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -599780s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -599671s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -599562s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -599448s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -599343s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -599234s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -599125s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -599015s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -598906s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -598796s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -598687s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -598578s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -598468s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -598359s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -598249s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -598140s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -598031s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -597921s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -597812s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -597703s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -597593s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -597484s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -597375s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -597265s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -597156s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -597046s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -596937s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -596828s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -596718s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -596609s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -596500s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -596390s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -596281s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -596171s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -596062s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -595953s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -595843s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -595734s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -595625s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -595515s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -595406s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -595296s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -595187s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -595078s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -594968s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -594859s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -594750s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exe TID: 3352Thread sleep time: -594640s >= -30000sJump to behavior
          Source: C:\HiddenFolder\reset.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
          Source: C:\HiddenFolder\reset.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\HiddenFolder\reset.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\HiddenFolder\reset.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\HiddenFolder\reset.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeCode function: 1_2_000D7E0A FindFirstFileExW,1_2_000D7E0A
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599890Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599780Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599671Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599562Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599448Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599343Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599234Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599125Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 599015Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598906Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598796Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598687Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598578Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598468Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598359Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598249Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598140Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 598031Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597921Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597812Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597703Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597593Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597484Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597375Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597265Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597156Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 597046Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596937Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596828Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596718Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596609Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596500Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596390Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596281Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596171Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 596062Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595953Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595843Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595734Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595625Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595515Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595406Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595296Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595187Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 595078Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 594968Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 594859Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 594750Jump to behavior
          Source: C:\HiddenFolder\reset.exeThread delayed: delay time: 594640Jump to behavior
          Source: reset.exe, 00000005.00000002.3886205797.0000000004739000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
          Source: reset.exe, 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: Setup.exe, 00000000.00000002.3875171171.000000000084C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: Cheat.exe, 00000001.00000002.3880264173.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.2831956357.0000000000FAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: Cheat.exe, 00000001.00000002.3880103310.0000000000F7A000.00000004.00000020.00020000.00000000.sdmp, Cheat.exe, 00000001.00000003.2831837445.0000000000F79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
          Source: reset.exe, 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VirtualMachine:
          Source: Cheat.exe, 00000001.00000002.3876208796.0000000000F3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW#
          Source: reset.exe, 00000005.00000002.3892340184.000000001CF3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\HiddenFolder\reset.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\HiddenFolder\reset.exeProcess queried: DebugPortJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeCode function: 1_2_000D4D3D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_000D4D3D
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeCode function: 1_2_000D9509 mov eax, dword ptr fs:[00000030h]1_2_000D9509
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeCode function: 1_2_000D5BBD mov eax, dword ptr fs:[00000030h]1_2_000D5BBD
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeCode function: 1_2_000DA7E7 GetProcessHeap,1_2_000DA7E7
          Source: C:\HiddenFolder\reset.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeCode function: 1_2_000D200F SetUnhandledExceptionFilter,1_2_000D200F
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeCode function: 1_2_000D4D3D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_000D4D3D
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeCode function: 1_2_000D1A00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_000D1A00
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeCode function: 1_2_000D1EAD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_000D1EAD
          Source: C:\HiddenFolder\reset.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exe "C:\Program Files (x86)\Developer ltd\cheats\Cheat.exe" Jump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\HiddenFolder\reset.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\HiddenFolder\reset.exe C:\HiddenFolder\reset.exeJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeCode function: 1_2_000D2138 cpuid 1_2_000D2138
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\HiddenFolder\reset.exeQueries volume information: C:\HiddenFolder\reset.exe VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Developer ltd\cheats\Cheat.exeCode function: 1_2_000D1D94 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_000D1D94
          Source: C:\HiddenFolder\reset.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: reset.exe PID: 6884, type: MEMORYSTR
          Yara detected Clipboard Hijacker
          Source: Yara matchFile source: 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: reset.exe PID: 6884, type: MEMORYSTR
          Yara detected StormKitty Stealer
          Source: Yara matchFile source: 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: reset.exe PID: 6884, type: MEMORYSTR
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: reset.exe, 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
          Source: reset.exe, 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx5
          Source: reset.exe, 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet
          Source: reset.exe, 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore
          Source: reset.exe, 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
          Source: reset.exe, 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
          Source: reset.exe, 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets
          Source: reset.exe, 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore
          Source: Yara matchFile source: 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: reset.exe PID: 6884, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: reset.exe PID: 6884, type: MEMORYSTR
          Yara detected StormKitty Stealer
          Source: Yara matchFile source: 00000005.00000002.3886205797.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: reset.exe PID: 6884, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
          Windows Management Instrumentation          		1
          DLL Side-Loading          		11
          Process Injection          		2
          Masquerading          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Disable or Modify Tools          		LSASS Memory451
          Security Software Discovery          		Remote Desktop Protocol1
          Data from Local System          		4
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)161
          Virtualization/Sandbox Evasion          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
          Process Injection          		NTDS161
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture14
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
          Obfuscated Files or Information          		Cached Domain Credentials1
          System Network Configuration Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Software Packing          		DCSync2
          File and Directory Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem34
          System Information Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1628820 Sample: Setup.exe Startdate: 04/03/2025 Architecture: WINDOWS Score: 62 32 raw.githubusercontent.com 2->32 34 ip-api.com 2->34 36 github.com 2->36 44 Suricata IDS alerts for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for dropped file 2->48 50 7 other signatures 2->50 9 Setup.exe 17 8 2->9         started        signatures3 process4 file5 24 C:\Program Files (x86)\...\simsetup.exe, PE32 9->24 dropped 26 C:\Program Files (x86)\...\Cheat.exe, PE32 9->26 dropped 12 Cheat.exe 16 9->12         started        process6 dnsIp7 40 github.com 140.82.121.3, 443, 49706 GITHUBUS United States 12->40 42 raw.githubusercontent.com 185.199.110.133, 443, 49707, 49710 FASTLYUS Netherlands 12->42 28 C:\Users\user\AppData\Local\...\reset[1].exe, PE32+ 12->28 dropped 30 C:\HiddenFolder\reset.exe, PE32+ 12->30 dropped 16 cmd.exe 1 12->16         started        18 conhost.exe 12->18         started        file8 process9 process10 20 reset.exe 14 6 16->20         started        dnsIp11 38 ip-api.com 208.95.112.1, 49709, 80 TUT-ASUS United States 20->38 52 Antivirus detection for dropped file 20->52 54 Multi AV Scanner detection for dropped file 20->54 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->56 58 2 other signatures 20->58 signatures12

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.