Edit tour

Windows Analysis Report
ohtie89k.exe

Overview

General Information

Sample name:	ohtie89k.exe
Analysis ID:	1629913
MD5:	ba57c75d6c4e2936f6cad4a1ba4c29d1
SHA1:	8299498803759fbb63a323b0ad64694d72d0c352
SHA256:	c54714fec4a8cab57d0f0304210fc2f4f50f6fbcee80fc2d3db9cf30a31853d2
Tags:	185-215-113-209exeuser-JAMESWT_MHT
Infos:

Detection

RedLine, XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Yara detected XWorm

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Drops PE files to the startup folder

Joe Sandbox ML detected suspicious sample

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ohtie89k.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\ohtie89k.exe" MD5: BA57C75D6C4E2936F6CAD4A1BA4C29D1)

windows.exe (PID: 7352 cmdline: "C:\ProgramData\windows.exe" MD5: 93D6BDF913CAB64FEC58C765AFDBA3D4)

conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

service.exe (PID: 7380 cmdline: "C:\ProgramData\service.exe" MD5: 4281B5461BA14BD8D120B72D4C7E12AA)

schtasks.exe (PID: 7540 cmdline: "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "service" /tr "C:\Users\user\AppData\Roaming\service.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

service.exe (PID: 7600 cmdline: C:\Users\user\AppData\Roaming\service.exe MD5: 4281B5461BA14BD8D120B72D4C7E12AA)

service.exe (PID: 7712 cmdline: "C:\Users\user\AppData\Roaming\service.exe" MD5: 4281B5461BA14BD8D120B72D4C7E12AA)

service.exe (PID: 7852 cmdline: "C:\Users\user\AppData\Roaming\service.exe" MD5: 4281B5461BA14BD8D120B72D4C7E12AA)

service.exe (PID: 8156 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe" MD5: 4281B5461BA14BD8D120B72D4C7E12AA)

service.exe (PID: 5244 cmdline: C:\Users\user\AppData\Roaming\service.exe MD5: 4281B5461BA14BD8D120B72D4C7E12AA)

service.exe (PID: 3520 cmdline: C:\Users\user\AppData\Roaming\service.exe MD5: 4281B5461BA14BD8D120B72D4C7E12AA)

service.exe (PID: 6256 cmdline: C:\Users\user\AppData\Roaming\service.exe MD5: 4281B5461BA14BD8D120B72D4C7E12AA)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["mylogsprvt.zapto.org"], "Port": 8899, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V2.1"}

Threatname: RedLine

{"C2 url": ["mylogsprvt.zapto.org"], "Bot Id": "8899"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\service.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\ProgramData\service.exe	rat_win_xworm_v2	Finds XWorm v2 samples based on characteristic strings	Sekoia.io	0x779a:$str02: ngrok 0x96c0:$str02: ngrok 0x970a:$str02: ngrok 0x7535:$str03: Mutexx 0x97d4:$str04: FileManagerSplitFileManagerSplit 0x96de:$str05: InstallngC 0x9480:$str06: downloadedfile 0x9452:$str07: creatfile 0x942e:$str08: creatnewfolder 0x9410:$str09: showfolderfile 0x93f2:$str10: hidefolderfile 0x93c4:$str11: txtttt 0x990c:$str12: \root\SecurityCenter2 0x985a:$str13: [USB] 0x9840:$str14: [Drive] 0x97c2:$str15: [Folder] 0x96b6:$str16: HVNC 0x8d1e:$str17: http://exmple.com/Uploader.php 0x8f2c:$str18: XKlog.txt 0x9938:$str19: Select * from AntivirusProduct 0x9242:$str20: runnnnnn
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	rat_win_xworm_v2	Finds XWorm v2 samples based on characteristic strings	Sekoia.io	0x779a:$str02: ngrok 0x96c0:$str02: ngrok 0x970a:$str02: ngrok 0x7535:$str03: Mutexx 0x97d4:$str04: FileManagerSplitFileManagerSplit 0x96de:$str05: InstallngC 0x9480:$str06: downloadedfile 0x9452:$str07: creatfile 0x942e:$str08: creatnewfolder 0x9410:$str09: showfolderfile 0x93f2:$str10: hidefolderfile 0x93c4:$str11: txtttt 0x990c:$str12: \root\SecurityCenter2 0x985a:$str13: [USB] 0x9840:$str14: [Drive] 0x97c2:$str15: [Folder] 0x96b6:$str16: HVNC 0x8d1e:$str17: http://exmple.com/Uploader.php 0x8f2c:$str18: XKlog.txt 0x9938:$str19: Select * from AntivirusProduct 0x9242:$str20: runnnnnn
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	rat_win_xworm_v2	Finds XWorm v2 samples based on characteristic strings	Sekoia.io	0x779a:$str02: ngrok 0x96c0:$str02: ngrok 0x970a:$str02: ngrok 0x7535:$str03: Mutexx 0x97d4:$str04: FileManagerSplitFileManagerSplit 0x96de:$str05: InstallngC 0x9480:$str06: downloadedfile 0x9452:$str07: creatfile 0x942e:$str08: creatnewfolder 0x9410:$str09: showfolderfile 0x93f2:$str10: hidefolderfile 0x93c4:$str11: txtttt 0x990c:$str12: \root\SecurityCenter2 0x985a:$str13: [USB] 0x9840:$str14: [Drive] 0x97c2:$str15: [Folder] 0x96b6:$str16: HVNC 0x8d1e:$str17: http://exmple.com/Uploader.php 0x8f2c:$str18: XKlog.txt 0x9938:$str19: Select * from AntivirusProduct 0x9242:$str20: runnnnnn
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	rat_win_xworm_v2	Finds XWorm v2 samples based on characteristic strings	Sekoia.io	0x779a:$str02: ngrok 0x96c0:$str02: ngrok 0x970a:$str02: ngrok 0x7535:$str03: Mutexx 0x97d4:$str04: FileManagerSplitFileManagerSplit 0x96de:$str05: InstallngC 0x9480:$str06: downloadedfile 0x9452:$str07: creatfile 0x942e:$str08: creatnewfolder 0x9410:$str09: showfolderfile 0x93f2:$str10: hidefolderfile 0x93c4:$str11: txtttt 0x990c:$str12: \root\SecurityCenter2 0x985a:$str13: [USB] 0x9840:$str14: [Drive] 0x97c2:$str15: [Folder] 0x96b6:$str16: HVNC 0x8d1e:$str17: http://exmple.com/Uploader.php 0x8f2c:$str18: XKlog.txt 0x9938:$str19: Select * from AntivirusProduct 0x9242:$str20: runnnnnn
C:\ProgramData\windows.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\ProgramData\windows.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\ProgramData\windows.exe	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
C:\ProgramData\windows.exe	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143cd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
C:\ProgramData\windows.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165fa:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165db:$v2_6: GetUpdates
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1665364379.0000000012678000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1665364379.0000000012678000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1665364379.0000000012678000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x2ced2:$a4: get_ScannedWallets 0x44d1a:$a4: get_ScannedWallets 0x2bd30:$a5: get_ScanTelegram 0x43b78:$a5: get_ScanTelegram 0x2cb56:$a6: get_ScanGeckoBrowsersPaths 0x4499e:$a6: get_ScanGeckoBrowsersPaths 0x2a972:$a7: <Processes>k__BackingField 0x427ba:$a7: <Processes>k__BackingField 0x28884:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x406cc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x2a2a6:$a9: <ScanFTP>k__BackingField 0x420ee:$a9: <ScanFTP>k__BackingField
00000000.00000002.1665323502.0000000002671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000001.00000000.1663240346.00000000006E2000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.1663240346.00000000006E2000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000000.1663240346.00000000006E2000.00000002.00000001.01000000.00000006.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000003.00000000.1663742599.0000000000362000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: ohtie89k.exe PID: 7300	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: ohtie89k.exe PID: 7300	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ohtie89k.exe PID: 7300	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: ohtie89k.exe PID: 7300	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x7341:$a4: get_ScannedWallets 0x61e8:$a5: get_ScanTelegram 0x6fca:$a6: get_ScanGeckoBrowsersPaths 0x4e7b:$a7: <Processes>k__BackingField 0x23ae:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x47af:$a9: <ScanFTP>k__BackingField
Process Memory Space: windows.exe PID: 7352	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: windows.exe PID: 7352	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: windows.exe PID: 7352	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x34418:$a4: get_ScannedWallets 0x332bf:$a5: get_ScanTelegram 0x340a1:$a6: get_ScanGeckoBrowsersPaths 0x31f52:$a7: <Processes>k__BackingField 0x2f485:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x31886:$a9: <ScanFTP>k__BackingField
Process Memory Space: service.exe PID: 7380	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ohtie89k.exe.268f3b8.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.ohtie89k.exe.268f3b8.1.unpack	rat_win_xworm_v2	Finds XWorm v2 samples based on characteristic strings	Sekoia.io	0x599a:$str02: ngrok 0x78c0:$str02: ngrok 0x790a:$str02: ngrok 0x5735:$str03: Mutexx 0x79d4:$str04: FileManagerSplitFileManagerSplit 0x78de:$str05: InstallngC 0x7680:$str06: downloadedfile 0x7652:$str07: creatfile 0x762e:$str08: creatnewfolder 0x7610:$str09: showfolderfile 0x75f2:$str10: hidefolderfile 0x75c4:$str11: txtttt 0x7b0c:$str12: \root\SecurityCenter2 0x7a5a:$str13: [USB] 0x7a40:$str14: [Drive] 0x79c2:$str15: [Folder] 0x78b6:$str16: HVNC 0x6f1e:$str17: http://exmple.com/Uploader.php 0x712c:$str18: XKlog.txt 0x7b38:$str19: Select * from AntivirusProduct 0x7442:$str20: runnnnnn
3.0.service.exe.360000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.0.service.exe.360000.0.unpack	rat_win_xworm_v2	Finds XWorm v2 samples based on characteristic strings	Sekoia.io	0x779a:$str02: ngrok 0x96c0:$str02: ngrok 0x970a:$str02: ngrok 0x7535:$str03: Mutexx 0x97d4:$str04: FileManagerSplitFileManagerSplit 0x96de:$str05: InstallngC 0x9480:$str06: downloadedfile 0x9452:$str07: creatfile 0x942e:$str08: creatnewfolder 0x9410:$str09: showfolderfile 0x93f2:$str10: hidefolderfile 0x93c4:$str11: txtttt 0x990c:$str12: \root\SecurityCenter2 0x985a:$str13: [USB] 0x9840:$str14: [Drive] 0x97c2:$str15: [Folder] 0x96b6:$str16: HVNC 0x8d1e:$str17: http://exmple.com/Uploader.php 0x8f2c:$str18: XKlog.txt 0x9938:$str19: Select * from AntivirusProduct 0x9242:$str20: runnnnnn
0.2.ohtie89k.exe.269a3f8.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.ohtie89k.exe.269a3f8.2.unpack	rat_win_xworm_v2	Finds XWorm v2 samples based on characteristic strings	Sekoia.io	0x599a:$str02: ngrok 0x78c0:$str02: ngrok 0x790a:$str02: ngrok 0x5735:$str03: Mutexx 0x79d4:$str04: FileManagerSplitFileManagerSplit 0x78de:$str05: InstallngC 0x7680:$str06: downloadedfile 0x7652:$str07: creatfile 0x762e:$str08: creatnewfolder 0x7610:$str09: showfolderfile 0x75f2:$str10: hidefolderfile 0x75c4:$str11: txtttt 0x7b0c:$str12: \root\SecurityCenter2 0x7a5a:$str13: [USB] 0x7a40:$str14: [Drive] 0x79c2:$str15: [Folder] 0x78b6:$str16: HVNC 0x6f1e:$str17: http://exmple.com/Uploader.php 0x712c:$str18: XKlog.txt 0x7b38:$str19: Select * from AntivirusProduct 0x7442:$str20: runnnnnn
0.2.ohtie89k.exe.269a3f8.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.ohtie89k.exe.269a3f8.2.raw.unpack	rat_win_xworm_v2	Finds XWorm v2 samples based on characteristic strings	Sekoia.io	0x779a:$str02: ngrok 0x96c0:$str02: ngrok 0x970a:$str02: ngrok 0x7535:$str03: Mutexx 0x97d4:$str04: FileManagerSplitFileManagerSplit 0x96de:$str05: InstallngC 0x9480:$str06: downloadedfile 0x9452:$str07: creatfile 0x942e:$str08: creatnewfolder 0x9410:$str09: showfolderfile 0x93f2:$str10: hidefolderfile 0x93c4:$str11: txtttt 0x990c:$str12: \root\SecurityCenter2 0x985a:$str13: [USB] 0x9840:$str14: [Drive] 0x97c2:$str15: [Folder] 0x96b6:$str16: HVNC 0x8d1e:$str17: http://exmple.com/Uploader.php 0x8f2c:$str18: XKlog.txt 0x9938:$str19: Select * from AntivirusProduct 0x9242:$str20: runnnnnn
1.0.windows.exe.6e0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.windows.exe.6e0000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.0.windows.exe.6e0000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
1.0.windows.exe.6e0000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143cd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
1.0.windows.exe.6e0000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165fa:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165db:$v2_6: GetUpdates
0.2.ohtie89k.exe.126a9750.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ohtie89k.exe.126a9750.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.ohtie89k.exe.126a9750.4.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
0.2.ohtie89k.exe.126a9750.4.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143cd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.ohtie89k.exe.126a9750.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165fa:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165db:$v2_6: GetUpdates
0.2.ohtie89k.exe.12691908.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ohtie89k.exe.12691908.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.ohtie89k.exe.12691908.3.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.ohtie89k.exe.12691908.3.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125cd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.ohtie89k.exe.12691908.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147fa:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147db:$v2_6: GetUpdates
0.2.ohtie89k.exe.268f3b8.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.ohtie89k.exe.268f3b8.1.raw.unpack	rat_win_xworm_v2	Finds XWorm v2 samples based on characteristic strings	Sekoia.io	0x779a:$str02: ngrok 0x96c0:$str02: ngrok 0x970a:$str02: ngrok 0x127da:$str02: ngrok 0x14700:$str02: ngrok 0x1474a:$str02: ngrok 0x7535:$str03: Mutexx 0x12575:$str03: Mutexx 0x97d4:$str04: FileManagerSplitFileManagerSplit 0x14814:$str04: FileManagerSplitFileManagerSplit 0x96de:$str05: InstallngC 0x1471e:$str05: InstallngC 0x9480:$str06: downloadedfile 0x144c0:$str06: downloadedfile 0x9452:$str07: creatfile 0x14492:$str07: creatfile 0x942e:$str08: creatnewfolder 0x1446e:$str08: creatnewfolder 0x9410:$str09: showfolderfile 0x14450:$str09: showfolderfile 0x93f2:$str10: hidefolderfile
0.2.ohtie89k.exe.126a9750.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ohtie89k.exe.126a9750.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.ohtie89k.exe.126a9750.4.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.ohtie89k.exe.126a9750.4.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125cd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.ohtie89k.exe.126a9750.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147fa:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147db:$v2_6: GetUpdates
0.2.ohtie89k.exe.12691908.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ohtie89k.exe.12691908.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.ohtie89k.exe.12691908.3.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b412:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a270:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2b096:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28eb2:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26dc4:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x287e6:$a9: <ScanFTP>k__BackingField
0.2.ohtie89k.exe.12691908.3.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x29813:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x29847:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x29870:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x2baaf:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x2b02b:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x2b373:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x2aca9:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x28497:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x20580:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x20f60:$spe6: windows-1251, CommandLine: 0x143cd:$spe9: wallet
0.2.ohtie89k.exe.12691908.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282d2:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b989:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f78:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2aec1:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x284d3:$v2_2: get_ScanVPN 0x28576:$v2_2: get_ScanFTP
Click to see the 30 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\service.exe, EventID: 13, EventType: SetValue, Image: C:\ProgramData\service.exe, ProcessId: 7380, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\ProgramData\service.exe, ProcessId: 7380, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "service" /tr "C:\Users\user\AppData\Roaming\service.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "service" /tr "C:\Users\user\AppData\Roaming\service.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\ProgramData\service.exe" , ParentImage: C:\ProgramData\service.exe, ParentProcessId: 7380, ParentProcessName: service.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "service" /tr "C:\Users\user\AppData\Roaming\service.exe", ProcessId: 7540, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ohtie89k.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\windows.exe	Avira: detection malicious, Label: HEUR/AGEN.1305500
Source: C:\ProgramData\service.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 00000000.00000002.1665323502.0000000002671000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["mylogsprvt.zapto.org"], "Port": 8899, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V2.1"}
Source: 0.2.ohtie89k.exe.269a3f8.2.raw.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["mylogsprvt.zapto.org"], "Bot Id": "8899"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\service.exe	ReversingLabs: Detection: 95%
Source: C:\ProgramData\windows.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\service.exe	ReversingLabs: Detection: 95%

Multi AV Scanner detection for submitted file

Source: ohtie89k.exe	Virustotal: Detection: 80%			Perma Link
Source: ohtie89k.exe	ReversingLabs: Detection: 78%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: ohtie89k.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ohtie89k.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: windows.exe, 00000001.00000002.4133671544.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: windows.exe, 00000001.00000002.4133671544.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Xm source: windows.exe, 00000001.00000002.4133671544.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: windows.exe, 00000001.00000002.4133671544.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: windows.exe, 00000001.00000002.4133671544.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdbqC source: windows.exe, 00000001.00000002.4133671544.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: windows.exe, 00000001.00000002.4133671544.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: mylogsprvt.zapto.org
Source: Malware configuration extractor	URLs: mylogsprvt.zapto.org

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mylogsprvt.zapto.org

Source: service.exe, 00000003.00000002.4134114301.0000000002751000.00000004.00000800.00020000.00000000.sdmp, service.exe, 00000006.00000002.1699132877.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, service.exe, 00000007.00000002.1803026820.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, service.exe, 00000009.00000002.1890310813.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, service.exe, 0000000E.00000002.1965461395.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, service.exe, 0000000F.00000002.2156773663.0000000003031000.00000004.00000800.00020000.00000000.sdmp, service.exe, 00000019.00000002.2750609543.0000000003101000.00000004.00000800.00020000.00000000.sdmp, service.exe, 0000001B.00000002.3346457627.00000000023B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exmple.com/Uploader.php
Source: windows.exe, 00000001.00000002.4134655834.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002A9F000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mylogsprvt.zapto.org:45630
Source: windows.exe, 00000001.00000002.4134655834.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mylogsprvt.zapto.org:45630/
Source: windows.exe, 00000001.00000002.4134655834.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: windows.exe, 00000001.00000002.4134655834.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002AAC000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: windows.exe, 00000001.00000002.4134655834.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: windows.exe, 00000001.00000002.4134655834.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: windows.exe, 00000001.00000002.4134655834.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: windows.exe, 00000001.00000002.4134655834.0000000002A9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: windows.exe, 00000001.00000002.4134655834.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002AAC000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: windows.exe, 00000001.00000002.4134655834.0000000002AAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: windows.exe, 00000001.00000002.4134655834.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/
Source: windows.exe, 00000001.00000002.4134655834.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: windows.exe, 00000001.00000002.4134655834.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectLR
Source: windows.exe, 00000001.00000002.4134655834.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: windows.exe, 00000001.00000002.4134655834.0000000002A9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectT
Source: windows.exe, 00000001.00000002.4134655834.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsLR
Source: windows.exe, 00000001.00000002.4134655834.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: windows.exe, 00000001.00000002.4134655834.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesLR
Source: windows.exe, 00000001.00000002.4134655834.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: windows.exe, 00000001.00000002.4134655834.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentLR
Source: windows.exe, 00000001.00000002.4134655834.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: windows.exe, 00000001.00000002.4134655834.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateLR
Source: windows.exe, 00000001.00000002.4134655834.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000002.4134655834.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: ohtie89k.exe, 00000000.00000002.1665364379.0000000012678000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000000.1663240346.00000000006E2000.00000002.00000001.01000000.00000006.sdmp, windows.exe.0.dr	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: ohtie89k.exe, 00000000.00000002.1665364379.0000000012678000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000000.1663240346.00000000006E2000.00000002.00000001.01000000.00000006.sdmp, windows.exe.0.dr	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: ohtie89k.exe, 00000000.00000002.1665364379.0000000012678000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000001.00000000.1663240346.00000000006E2000.00000002.00000001.01000000.00000006.sdmp, windows.exe.0.dr	String found in binary or memory: https://ipinfo.io/ip%appdata%

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.ohtie89k.exe.268f3b8.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
Source: 3.0.service.exe.360000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
Source: 0.2.ohtie89k.exe.269a3f8.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
Source: 0.2.ohtie89k.exe.269a3f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
Source: 1.0.windows.exe.6e0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 1.0.windows.exe.6e0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 1.0.windows.exe.6e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.ohtie89k.exe.126a9750.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.ohtie89k.exe.126a9750.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.ohtie89k.exe.126a9750.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.ohtie89k.exe.12691908.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.ohtie89k.exe.12691908.3.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.ohtie89k.exe.12691908.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.ohtie89k.exe.268f3b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
Source: 0.2.ohtie89k.exe.126a9750.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.ohtie89k.exe.126a9750.4.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.ohtie89k.exe.126a9750.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.ohtie89k.exe.12691908.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.ohtie89k.exe.12691908.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.ohtie89k.exe.12691908.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.1665364379.0000000012678000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000001.00000000.1663240346.00000000006E2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: ohtie89k.exe PID: 7300, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: windows.exe PID: 7352, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: C:\ProgramData\service.exe, type: DROPPED	Matched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe, type: DROPPED	Matched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe, type: DROPPED	Matched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe, type: DROPPED	Matched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
Source: C:\ProgramData\windows.exe, type: DROPPED	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: C:\ProgramData\windows.exe, type: DROPPED	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: C:\ProgramData\windows.exe, type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: C:\ProgramData\windows.exe	Code function: 1_2_00E3E7B0	1_2_00E3E7B0
Source: C:\ProgramData\windows.exe	Code function: 1_2_00E3DC90	1_2_00E3DC90
Source: C:\ProgramData\windows.exe	Code function: 1_2_00E3BF37	1_2_00E3BF37
Source: C:\ProgramData\service.exe	Code function: 3_2_00007FFD9BAC18E5	3_2_00007FFD9BAC18E5

Source: ohtie89k.exe, 00000000.00000002.1665364379.0000000012678000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs ohtie89k.exe
Source: ohtie89k.exe, 00000000.00000002.1665323502.0000000002671000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameservice.exe4 vs ohtie89k.exe

Source: ohtie89k.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.ohtie89k.exe.268f3b8.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
Source: 3.0.service.exe.360000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
Source: 0.2.ohtie89k.exe.269a3f8.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
Source: 0.2.ohtie89k.exe.269a3f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
Source: 1.0.windows.exe.6e0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 1.0.windows.exe.6e0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 1.0.windows.exe.6e0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.ohtie89k.exe.126a9750.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.ohtie89k.exe.126a9750.4.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.ohtie89k.exe.126a9750.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.ohtie89k.exe.12691908.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.ohtie89k.exe.12691908.3.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.ohtie89k.exe.12691908.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.ohtie89k.exe.268f3b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
Source: 0.2.ohtie89k.exe.126a9750.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.ohtie89k.exe.126a9750.4.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.ohtie89k.exe.126a9750.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.ohtie89k.exe.12691908.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.ohtie89k.exe.12691908.3.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.ohtie89k.exe.12691908.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.1665364379.0000000012678000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000001.00000000.1663240346.00000000006E2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: ohtie89k.exe PID: 7300, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: windows.exe PID: 7352, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: C:\ProgramData\service.exe, type: DROPPED	Matched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe, type: DROPPED	Matched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe, type: DROPPED	Matched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe, type: DROPPED	Matched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
Source: C:\ProgramData\windows.exe, type: DROPPED	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: C:\ProgramData\windows.exe, type: DROPPED	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: C:\ProgramData\windows.exe, type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: ohtie89k.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ohtie89k.exe, code.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: service.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: service.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ohtie89k.exe.269a3f8.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ohtie89k.exe.269a3f8.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ohtie89k.exe.268f3b8.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ohtie89k.exe.268f3b8.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: service.exe.3.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: service.exe.3.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: service.exe0.3.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: service.exe0.3.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: service.exe0.3.dr, Helper.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ohtie89k.exe.269a3f8.2.raw.unpack, Helper.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ohtie89k.exe.268f3b8.1.raw.unpack, Helper.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: service.exe.3.dr, Helper.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: service.exe.0.dr, Helper.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@16/6@1/0

Source: C:\Users\user\Desktop\ohtie89k.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ohtie89k.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\service.exe	Mutant created: NULL
Source: C:\ProgramData\service.exe	Mutant created: \Sessions\1\BaseNamedObjects\SmH2L0949LC6zVSS
Source: C:\Users\user\Desktop\ohtie89k.exe	Mutant created: \Sessions\1\BaseNamedObjects\AQmZxALPsSikdRXvI
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03

Source: ohtie89k.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ohtie89k.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\ohtie89k.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ohtie89k.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ohtie89k.exe	Virustotal: Detection: 80%
Source: ohtie89k.exe	ReversingLabs: Detection: 78%

Source: unknown	Process created: C:\Users\user\Desktop\ohtie89k.exe "C:\Users\user\Desktop\ohtie89k.exe"
Source: C:\Users\user\Desktop\ohtie89k.exe	Process created: C:\ProgramData\windows.exe "C:\ProgramData\windows.exe"
Source: C:\ProgramData\windows.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ohtie89k.exe	Process created: C:\ProgramData\service.exe "C:\ProgramData\service.exe"
Source: C:\ProgramData\service.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "service" /tr "C:\Users\user\AppData\Roaming\service.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\service.exe C:\Users\user\AppData\Roaming\service.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\service.exe "C:\Users\user\AppData\Roaming\service.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\service.exe "C:\Users\user\AppData\Roaming\service.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\service.exe C:\Users\user\AppData\Roaming\service.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\service.exe C:\Users\user\AppData\Roaming\service.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\service.exe C:\Users\user\AppData\Roaming\service.exe
Source: C:\Users\user\Desktop\ohtie89k.exe	Process created: C:\ProgramData\windows.exe "C:\ProgramData\windows.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process created: C:\ProgramData\service.exe "C:\ProgramData\service.exe"	Jump to behavior
Source: C:\ProgramData\service.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "service" /tr "C:\Users\user\AppData\Roaming\service.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\windows.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\service.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\ohtie89k.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ohtie89k.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ohtie89k.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ohtie89k.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: windows.exe, 00000001.00000002.4133671544.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: windows.exe, 00000001.00000002.4133671544.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Xm source: windows.exe, 00000001.00000002.4133671544.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: windows.exe, 00000001.00000002.4133671544.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: windows.exe, 00000001.00000002.4133671544.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdbqC source: windows.exe, 00000001.00000002.4133671544.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: windows.exe, 00000001.00000002.4133671544.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: service.exe.0.dr, Helper.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.ohtie89k.exe.269a3f8.2.raw.unpack, Helper.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.ohtie89k.exe.268f3b8.1.raw.unpack, Helper.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: service.exe.3.dr, Helper.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: service.exe0.3.dr, Helper.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: windows.exe.0.dr

Static PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]

Source: ohtie89k.exe

Static PE information: section name: .text entropy: 7.973555812253727

Source: C:\Users\user\Desktop\ohtie89k.exe	File created: C:\ProgramData\windows.exe	Jump to dropped file
Source: C:\ProgramData\service.exe	File created: C:\Users\user\AppData\Roaming\service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ohtie89k.exe	File created: C:\ProgramData\service.exe	Jump to dropped file
Source: C:\ProgramData\service.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Jump to dropped file

Source: C:\Users\user\Desktop\ohtie89k.exe	File created: C:\ProgramData\windows.exe			Jump to dropped file
Source: C:\Users\user\Desktop\ohtie89k.exe	File created: C:\ProgramData\service.exe			Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\ProgramData\service.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\ProgramData\service.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "service" /tr "C:\Users\user\AppData\Roaming\service.exe"

Source: C:\ProgramData\service.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe

Jump to behavior

Source: C:\ProgramData\service.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe

Jump to behavior

Source: C:\ProgramData\service.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run service			Jump to behavior
Source: C:\ProgramData\service.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run service			Jump to behavior

Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\service.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\ohtie89k.exe	Memory allocated: 7D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Memory allocated: 1A670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\windows.exe	Memory allocated: E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\windows.exe	Memory allocated: 2A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\windows.exe	Memory allocated: 4A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\service.exe	Memory allocated: 8A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\service.exe	Memory allocated: 1A750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Memory allocated: 1220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Memory allocated: 1AEC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Memory allocated: 13F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Memory allocated: 1B0E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Memory allocated: 10E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Memory allocated: 1AC00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Memory allocated: CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Memory allocated: 1A6A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Memory allocated: 1250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Memory allocated: 1B030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Memory allocated: 16F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Memory allocated: 1B100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Memory allocated: 860000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\service.exe	Memory allocated: 1A3B0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\ohtie89k.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\service.exe	Window / User API: threadDelayed 2237			Jump to behavior
Source: C:\ProgramData\service.exe	Window / User API: threadDelayed 7676			Jump to behavior

Source: C:\Users\user\Desktop\ohtie89k.exe TID: 7324	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\windows.exe TID: 7356	Thread sleep time: -175000s >= -30000s	Jump to behavior
Source: C:\ProgramData\service.exe TID: 7592	Thread sleep count: 2237 > 30	Jump to behavior
Source: C:\ProgramData\service.exe TID: 7592	Thread sleep time: -67110000s >= -30000s	Jump to behavior
Source: C:\ProgramData\service.exe TID: 7592	Thread sleep count: 7676 > 30	Jump to behavior
Source: C:\ProgramData\service.exe TID: 7592	Thread sleep time: -230280000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe TID: 7620	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe TID: 7736	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe TID: 7872	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe TID: 8176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe TID: 2484	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe TID: 3636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe TID: 6316	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ohtie89k.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\service.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\ProgramData\service.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: service.exe, 00000003.00000002.4135021835.000000001B65D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWor%SystemRoot%\system32\mswsock.dll <workflowInstanceQueries>
Source: windows.exe, 00000001.00000002.4133671544.0000000000F22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\ProgramData\windows.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\ohtie89k.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: windows.exe.0.dr, NativeHelper.cs	Reference to suspicious API methods: LoadLibrary("kernel32")
Source: windows.exe.0.dr, NativeHelper.cs	Reference to suspicious API methods: GetProcAddress(hModule, "GetConsoleWindow")
Source: service.exe.0.dr, Messages.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: C:\Users\user\Desktop\ohtie89k.exe	Process created: C:\ProgramData\windows.exe "C:\ProgramData\windows.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ohtie89k.exe	Process created: C:\ProgramData\service.exe "C:\ProgramData\service.exe"	Jump to behavior
Source: C:\ProgramData\service.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "service" /tr "C:\Users\user\AppData\Roaming\service.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ohtie89k.exe	Queries volume information: C:\Users\user\Desktop\ohtie89k.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\windows.exe	Queries volume information: C:\ProgramData\windows.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\windows.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\windows.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\windows.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\windows.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\windows.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\service.exe	Queries volume information: C:\ProgramData\service.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Queries volume information: C:\Users\user\AppData\Roaming\service.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Queries volume information: C:\Users\user\AppData\Roaming\service.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Queries volume information: C:\Users\user\AppData\Roaming\service.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Queries volume information: C:\Users\user\AppData\Roaming\service.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Queries volume information: C:\Users\user\AppData\Roaming\service.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\service.exe	Queries volume information: unknown VolumeInformation

Source: C:\Users\user\Desktop\ohtie89k.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 1.0.windows.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.126a9750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.12691908.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.126a9750.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.12691908.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1665364379.0000000012678000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1663240346.00000000006E2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ohtie89k.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windows.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\windows.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.ohtie89k.exe.268f3b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.service.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.269a3f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.269a3f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.268f3b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1665323502.0000000002671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1663742599.0000000000362000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ohtie89k.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: service.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\service.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe, type: DROPPED

Source: Yara match	File source: 1.0.windows.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.126a9750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.12691908.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.126a9750.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.12691908.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1665364379.0000000012678000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1663240346.00000000006E2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ohtie89k.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windows.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\windows.exe, type: DROPPED

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 1.0.windows.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.126a9750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.12691908.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.126a9750.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.12691908.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1665364379.0000000012678000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1663240346.00000000006E2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ohtie89k.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windows.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\windows.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.ohtie89k.exe.268f3b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.service.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.269a3f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.269a3f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ohtie89k.exe.268f3b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1665323502.0000000002671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1663742599.0000000000362000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ohtie89k.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: service.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\service.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	121 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	121 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ohtie89k.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
ohtie89k.exe