Edit tour

Windows Analysis Report
jVE64QGXtK.exe

Overview

General Information

Sample name:	jVE64QGXtK.exe renamed because original name is a hash value
Original sample name:	0efe3d6c35243cda4dbee77a949349f9302540eeda9f61978b84b218bf2e44d1.exe
Analysis ID:	1631805
MD5:	88be38478293f5c65d9931e777661ea9
SHA1:	eed9a0bfad836df01d2523f245ad121f3341e278
SHA256:	0efe3d6c35243cda4dbee77a949349f9302540eeda9f61978b84b218bf2e44d1
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code references suspicious native API functions

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

jVE64QGXtK.exe (PID: 6992 cmdline: "C:\Users\user\Desktop\jVE64QGXtK.exe" MD5: 88BE38478293F5C65D9931E777661EA9)

windigo.exe (PID: 5320 cmdline: "C:\Users\user\Desktop\jVE64QGXtK.exe" MD5: 88BE38478293F5C65D9931E777661EA9)

RegSvcs.exe (PID: 5172 cmdline: "C:\Users\user\Desktop\jVE64QGXtK.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 6412 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windigo.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

windigo.exe (PID: 5924 cmdline: "C:\Users\user\AppData\Local\alarmingness\windigo.exe" MD5: 88BE38478293F5C65D9931E777661EA9)

RegSvcs.exe (PID: 6072 cmdline: "C:\Users\user\AppData\Local\alarmingness\windigo.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7519083675:AAGGZcn97WZPQxBGpWQkCmP1AKdcHrXbzoE", "Telegram Chatid": "6033043077"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
00000006.00000002.2099184223.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2099105602.0000000003006000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2097081196.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.2097081196.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2097081196.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000003.00000002.2097081196.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.2097081196.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefdf:$a1: get_encryptedPassword 0xf307:$a2: get_encryptedUsername 0xed7a:$a3: get_timePasswordChanged 0xee9b:$a4: get_passwordField 0xeff5:$a5: set_encryptedPassword 0x10951:$a7: get_logins 0x10602:$a8: GetOutlookPasswords 0x103f4:$a9: StartKeylogger 0x108a1:$a10: KeyLoggerEventArgs 0x10451:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: windigo.exe PID: 5320	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: windigo.exe PID: 5320	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: windigo.exe PID: 5320	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: windigo.exe PID: 5320	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: windigo.exe PID: 5320	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x132b43:$a1: get_encryptedPassword 0x132e5c:$a2: get_encryptedUsername 0x1328f2:$a3: get_timePasswordChanged 0x132a13:$a4: get_passwordField 0x132b59:$a5: set_encryptedPassword 0x13445c:$a7: get_logins 0x13410d:$a8: GetOutlookPasswords 0x133eff:$a9: StartKeylogger 0x1343ac:$a10: KeyLoggerEventArgs 0x133f5c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 5172	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 5172	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5172	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: RegSvcs.exe PID: 5172	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 5172	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x40f3f:$a1: get_encryptedPassword 0x41258:$a2: get_encryptedUsername 0x40cee:$a3: get_timePasswordChanged 0x40e0f:$a4: get_passwordField 0x40f55:$a5: set_encryptedPassword 0x42858:$a7: get_logins 0x42509:$a8: GetOutlookPasswords 0x422fb:$a9: StartKeylogger 0x427a8:$a10: KeyLoggerEventArgs 0x42358:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: windigo.exe PID: 5924	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: windigo.exe PID: 5924	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: windigo.exe PID: 5924	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: windigo.exe PID: 5924	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: windigo.exe PID: 5924	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x165a4c:$a1: get_encryptedPassword 0x165d65:$a2: get_encryptedUsername 0x1657fb:$a3: get_timePasswordChanged 0x16591c:$a4: get_passwordField 0x165a62:$a5: set_encryptedPassword 0x167365:$a7: get_logins 0x167016:$a8: GetOutlookPasswords 0x166e08:$a9: StartKeylogger 0x1672b5:$a10: KeyLoggerEventArgs 0x166e65:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 6072	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.windigo.exe.1770000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.windigo.exe.1770000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.windigo.exe.1770000.1.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.windigo.exe.1770000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.windigo.exe.1770000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
5.2.windigo.exe.1770000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
2.2.windigo.exe.3e70000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.windigo.exe.3e70000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.windigo.exe.3e70000.1.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
2.2.windigo.exe.3e70000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.windigo.exe.3e70000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
2.2.windigo.exe.3e70000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
2.2.windigo.exe.3e70000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.windigo.exe.3e70000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.windigo.exe.3e70000.1.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
2.2.windigo.exe.3e70000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.windigo.exe.3e70000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
2.2.windigo.exe.3e70000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1238b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11889:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b97:$a4: \Orbitum\User Data\Default\Login Data 0x1298f:$a5: \Kometa\User Data\Default\Login Data
5.2.windigo.exe.1770000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.windigo.exe.1770000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.windigo.exe.1770000.1.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.windigo.exe.1770000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.windigo.exe.1770000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
5.2.windigo.exe.1770000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1238b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11889:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b97:$a4: \Orbitum\User Data\Default\Login Data 0x1298f:$a5: \Kometa\User Data\Default\Login Data
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windigo.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windigo.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windigo.vbs" , ProcessId: 6412, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windigo.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windigo.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windigo.vbs" , ProcessId: 6412, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\alarmingness\windigo.exe, ProcessId: 5320, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windigo.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T16:09:44.904820+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49682	193.122.6.168	80	TCP
2025-03-07T16:09:59.409333+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49684	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: jVE64QGXtK.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe

Avira: detection malicious, Label: TR/AD.SnakeStealer.bpkys

Found malware configuration

Source: 00000003.00000002.2099105602.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7519083675:AAGGZcn97WZPQxBGpWQkCmP1AKdcHrXbzoE", "Telegram Chatid": "6033043077"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Virustotal: Detection: 70%			Perma Link
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: jVE64QGXtK.exe	Virustotal: Detection: 70%			Perma Link
Source: jVE64QGXtK.exe	ReversingLabs: Detection: 60%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: jVE64QGXtK.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49683 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49685 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: windigo.exe, 00000002.00000003.873744839.0000000004050000.00000004.00001000.00020000.00000000.sdmp, windigo.exe, 00000002.00000003.869086083.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, windigo.exe, 00000005.00000003.1002326918.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, windigo.exe, 00000005.00000003.1002173718.0000000003400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: windigo.exe, 00000002.00000003.873744839.0000000004050000.00000004.00001000.00020000.00000000.sdmp, windigo.exe, 00000002.00000003.869086083.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, windigo.exe, 00000005.00000003.1002326918.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, windigo.exe, 00000005.00000003.1002173718.0000000003400000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BC445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00BC445A
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BCC6D1 FindFirstFileW,FindClose,	0_2_00BCC6D1
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BCC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00BCC75C
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BCEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BCEF95
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BCF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BCF0F2
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BCF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00BCF3F3
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BC37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BC37EF
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BC3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BC3B12
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BCBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00BCBCBC
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0007445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0007445A
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0007C6D1 FindFirstFileW,FindClose,	2_2_0007C6D1
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0007C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0007C75C
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0007EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0007EF95
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0007F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0007F0F2
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0007F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0007F3F3
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_000737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_000737EF
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00073B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00073B12
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0007BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0007BCBC

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01569731h	3_2_01569480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01569E5Ah	3_2_01569A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01569E5Ah	3_2_01569D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 011C9731h	6_2_011C9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 011C9E5Ah	6_2_011C9A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 011C9E5Ah	6_2_011C9A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 011C9E5Ah	6_2_011C9D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 057647C9h	6_2_05764520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05768830h	6_2_05768588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0576F700h	6_2_0576F458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 057676D0h	6_2_05767428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0576E9F8h	6_2_0576E750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05765929h	6_2_05765680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 057683D8h	6_2_05768130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0576E5A0h	6_2_0576E180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0576F2A8h	6_2_0576F000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 057654D1h	6_2_05765228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05765079h	6_2_05764DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05767F80h	6_2_05767CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05767278h	6_2_05766FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05764C21h	6_2_05764978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0576FB58h	6_2_0576F8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05767B28h	6_2_05767880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0576EE50h	6_2_0576EBA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05765E15h	6_2_05765AD8

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49684 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49682 -> 193.122.6.168:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49683 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49685 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00BD22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00BD22EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000003.00000002.2099105602.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000003.00000002.2099105602.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000003.00000002.2099105602.0000000002F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2099105602.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000003.00000002.2099105602.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002C93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000003.00000002.2099105602.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: windigo.exe, 00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2097081196.0000000000402000.00000040.80000000.00040000.00000000.sdmp, windigo.exe, 00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000003.00000002.2099105602.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000003.00000002.2099105602.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000003.00000002.2099105602.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000003.00000002.2099105602.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002C93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: windigo.exe, 00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2097081196.0000000000402000.00000040.80000000.00040000.00000000.sdmp, windigo.exe, 00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000003.00000002.2099105602.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: windigo.exe, 00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2099105602.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2097081196.0000000000402000.00000040.80000000.00040000.00000000.sdmp, windigo.exe, 00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000003.00000002.2099105602.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000003.00000002.2099105602.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.windigo.exe.3e70000.1.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 5.2.windigo.exe.1770000.1.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00BD4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00BD4164

Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BD4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00BD4164
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00084164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_00084164

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00BD3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00BD3F66

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00BC001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00BC001C

Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BECABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00BECABC
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0009CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_0009CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.windigo.exe.1770000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.windigo.exe.1770000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.windigo.exe.3e70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.windigo.exe.3e70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.windigo.exe.3e70000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.windigo.exe.3e70000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.windigo.exe.1770000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.windigo.exe.1770000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.2097081196.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: windigo.exe PID: 5320, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 5172, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: windigo.exe PID: 5924, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00B63B3A
Source: jVE64QGXtK.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: jVE64QGXtK.exe, 00000000.00000002.857677320.0000000000C14000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a522c1dd-e
Source: jVE64QGXtK.exe, 00000000.00000002.857677320.0000000000C14000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_a1ca0d12-5
Source: jVE64QGXtK.exe, 00000000.00000003.856855914.0000000003F63000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fd1845ae-f
Source: jVE64QGXtK.exe, 00000000.00000003.856855914.0000000003F63000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_3e81c212-4
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: This is a third-party compiled AutoIt script.	2_2_00013B3A
Source: windigo.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: windigo.exe, 00000002.00000002.874981201.00000000000C4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_68b2a5f2-5
Source: windigo.exe, 00000002.00000002.874981201.00000000000C4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_97e26b78-1
Source: windigo.exe, 00000005.00000000.991595844.00000000000C4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b52cd43a-6
Source: windigo.exe, 00000005.00000000.991595844.00000000000C4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_f32f503b-1
Source: jVE64QGXtK.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_acce2808-4
Source: jVE64QGXtK.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_a755a80f-c
Source: windigo.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_48573feb-9
Source: windigo.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_34e75d28-3

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00BCA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00BCA1EF

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00BB8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00BB8310

Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BC51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00BC51BD
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_000751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_000751BD

Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B6E6A0	0_2_00B6E6A0
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B61287	0_2_00B61287
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B8D975	0_2_00B8D975
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B6FCE0	0_2_00B6FCE0
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B821C5	0_2_00B821C5
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B962D2	0_2_00B962D2
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BE03DA	0_2_00BE03DA
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B9242E	0_2_00B9242E
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B825FA	0_2_00B825FA
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B766E1	0_2_00B766E1
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BBE616	0_2_00BBE616
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B9878F	0_2_00B9878F
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BC8889	0_2_00BC8889
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B78808	0_2_00B78808
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BE0857	0_2_00BE0857
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B96844	0_2_00B96844
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B8CB21	0_2_00B8CB21
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B96DB6	0_2_00B96DB6
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B76F9E	0_2_00B76F9E
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B73030	0_2_00B73030
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B83187	0_2_00B83187
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B8F1D9	0_2_00B8F1D9
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B81484	0_2_00B81484
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B75520	0_2_00B75520
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B87696	0_2_00B87696
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B75760	0_2_00B75760
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B81978	0_2_00B81978
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B99AB5	0_2_00B99AB5
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B8BDA6	0_2_00B8BDA6
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B81D90	0_2_00B81D90
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BE7DDB	0_2_00BE7DDB
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B73FE0	0_2_00B73FE0
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B6DF00	0_2_00B6DF00
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_01623670	0_2_01623670
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0001E6A0	2_2_0001E6A0
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00011287	2_2_00011287
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0003D975	2_2_0003D975
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0001FCE0	2_2_0001FCE0
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_000321C5	2_2_000321C5
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_000462D2	2_2_000462D2
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_000903DA	2_2_000903DA
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0004242E	2_2_0004242E
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_000325FA	2_2_000325FA
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0006E616	2_2_0006E616
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_000266E1	2_2_000266E1
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0004878F	2_2_0004878F
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00028808	2_2_00028808
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00046844	2_2_00046844
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00090857	2_2_00090857
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00078889	2_2_00078889
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0003CB21	2_2_0003CB21
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00046DB6	2_2_00046DB6
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00026F9E	2_2_00026F9E
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00023030	2_2_00023030
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00033187	2_2_00033187
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0003F1D9	2_2_0003F1D9
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00031484	2_2_00031484
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00025520	2_2_00025520
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00037696	2_2_00037696
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00025760	2_2_00025760
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00031978	2_2_00031978
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00049AB5	2_2_00049AB5
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00031D90	2_2_00031D90
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0003BDA6	2_2_0003BDA6
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00097DDB	2_2_00097DDB
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0001DF00	2_2_0001DF00
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00023FE0	2_2_00023FE0
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_03B13670	2_2_03B13670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0156C530	3_2_0156C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01569480	3_2_01569480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_015619B8	3_2_015619B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0156C521	3_2_0156C521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01562DD1	3_2_01562DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0156946F	3_2_0156946F
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 5_2_01763670	5_2_01763670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_011CC530	6_2_011CC530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_011C27B9	6_2_011C27B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_011C2DD1	6_2_011C2DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_011C9480	6_2_011C9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_011CC521	6_2_011CC521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_011CC49F	6_2_011CC49F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_011C946F	6_2_011C946F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05766138	6_2_05766138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0576BC60	6_2_0576BC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0576AF00	6_2_0576AF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_057689E0	6_2_057689E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05768579	6_2_05768579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05764520	6_2_05764520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0576450F	6_2_0576450F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05768588	6_2_05768588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0576F458	6_2_0576F458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0576F448	6_2_0576F448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05767428	6_2_05767428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05767418	6_2_05767418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0576E750	6_2_0576E750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0576E740	6_2_0576E740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0576566F	6_2_0576566F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05765680	6_2_05765680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05766133	6_2_05766133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05768130	6_2_05768130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05768120	6_2_05768120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0576E180	6_2_0576E180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0576F000	6_2_0576F000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05760330	6_2_05760330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05760320	6_2_05760320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_057613A8	6_2_057613A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05765228	6_2_05765228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0576521B	6_2_0576521B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05764DD0	6_2_05764DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05764DC0	6_2_05764DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05760CD8	6_2_05760CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05767CD8	6_2_05767CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05767CC8	6_2_05767CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0576EFF0	6_2_0576EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05766FD0	6_2_05766FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05766FC3	6_2_05766FC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05764978	6_2_05764978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05764969	6_2_05764969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_057689D0	6_2_057689D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05767871	6_2_05767871
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0576F8B0	6_2_0576F8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0576F8A1	6_2_0576F8A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05767880	6_2_05767880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0576EBA8	6_2_0576EBA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0576EB98	6_2_0576EB98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05765AD8	6_2_05765AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05765ACB	6_2_05765ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05760AB8	6_2_05760AB8

Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: String function: 00038900 appears 42 times
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: String function: 00017DE1 appears 35 times
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: String function: 00030AE3 appears 70 times
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: String function: 00B67DE1 appears 35 times
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: String function: 00B80AE3 appears 70 times
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: String function: 00B88900 appears 42 times

Source: jVE64QGXtK.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 5.2.windigo.exe.1770000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.windigo.exe.1770000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.windigo.exe.3e70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.windigo.exe.3e70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.windigo.exe.3e70000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.windigo.exe.3e70000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.windigo.exe.1770000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.windigo.exe.1770000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.2097081196.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: windigo.exe PID: 5320, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 5172, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: windigo.exe PID: 5924, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 2.2.windigo.exe.3e70000.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.windigo.exe.3e70000.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.windigo.exe.1770000.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.windigo.exe.1770000.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/10@2/2

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00BCA06A GetLastError,FormatMessageW,

0_2_00BCA06A

Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BB81CB AdjustTokenPrivileges,CloseHandle,	0_2_00BB81CB
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BB87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00BB87E1
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_000681CB AdjustTokenPrivileges,CloseHandle,	2_2_000681CB
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_000687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_000687E1

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00BCB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00BCB3FB

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00BDEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00BDEE0D

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00BD83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00BD83BB

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00B64E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00B64E89

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

File created: C:\Users\user\AppData\Local\alarmingness

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

File created: C:\Users\user\AppData\Local\Temp\autEFD8.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windigo.vbs"

Source: jVE64QGXtK.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.2099105602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2099105602.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2099105602.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2100195745.0000000003EDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2099105602.0000000002FAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2099105602.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002D3E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002D20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2099184223.0000000002D30000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: jVE64QGXtK.exe	Virustotal: Detection: 70%
Source: jVE64QGXtK.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

File read: C:\Users\user\Desktop\jVE64QGXtK.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\jVE64QGXtK.exe "C:\Users\user\Desktop\jVE64QGXtK.exe"
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Process created: C:\Users\user\AppData\Local\alarmingness\windigo.exe "C:\Users\user\Desktop\jVE64QGXtK.exe"
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\jVE64QGXtK.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windigo.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\alarmingness\windigo.exe "C:\Users\user\AppData\Local\alarmingness\windigo.exe"
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\alarmingness\windigo.exe"
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Process created: C:\Users\user\AppData\Local\alarmingness\windigo.exe "C:\Users\user\Desktop\jVE64QGXtK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\jVE64QGXtK.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\alarmingness\windigo.exe "C:\Users\user\AppData\Local\alarmingness\windigo.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\alarmingness\windigo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: jVE64QGXtK.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: jVE64QGXtK.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: jVE64QGXtK.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: jVE64QGXtK.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jVE64QGXtK.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: jVE64QGXtK.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: jVE64QGXtK.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: windigo.exe, 00000002.00000003.873744839.0000000004050000.00000004.00001000.00020000.00000000.sdmp, windigo.exe, 00000002.00000003.869086083.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, windigo.exe, 00000005.00000003.1002326918.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, windigo.exe, 00000005.00000003.1002173718.0000000003400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: windigo.exe, 00000002.00000003.873744839.0000000004050000.00000004.00001000.00020000.00000000.sdmp, windigo.exe, 00000002.00000003.869086083.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, windigo.exe, 00000005.00000003.1002326918.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, windigo.exe, 00000005.00000003.1002173718.0000000003400000.00000004.00001000.00020000.00000000.sdmp

Source: jVE64QGXtK.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: jVE64QGXtK.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: jVE64QGXtK.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: jVE64QGXtK.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: jVE64QGXtK.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00B64B37 LoadLibraryA,GetProcAddress,

0_2_00B64B37

Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B8E69D push edi; ret	0_2_00B8E6AC
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B8E70F push edi; ret	0_2_00B8E711
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B8E828 push esi; ret	0_2_00B8E82A
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B88945 push ecx; ret	0_2_00B88958
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B8EAEC push edi; ret	0_2_00B8EAEE
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B8EA03 push esi; ret	0_2_00B8EA05
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0001C508 push A30001BAh; retn 0001h	2_2_0001C50D
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0003E69D push edi; ret	2_2_0003E6AC
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0003E70F push edi; ret	2_2_0003E711
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0003E828 push esi; ret	2_2_0003E82A
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00038945 push ecx; ret	2_2_00038958
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0003EA03 push esi; ret	2_2_0003EA05
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0003EAEC push edi; ret	2_2_0003EAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_011CB3A8 push eax; iretd	6_2_011CB445

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

File created: C:\Users\user\AppData\Local\alarmingness\windigo.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windigo.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windigo.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windigo.vbs

Jump to behavior

Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00B648D7
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BE5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00BE5376
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_000148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_000148D7
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00095376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00095376

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00B83187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00B83187

Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	API/Special instruction interceptor: Address: 3B13294
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	API/Special instruction interceptor: Address: 1763294

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\jVE64QGXtK.exe	API coverage: 5.4 %
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	API coverage: 5.6 %

Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BC445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00BC445A
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BCC6D1 FindFirstFileW,FindClose,	0_2_00BCC6D1
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BCC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00BCC75C
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BCEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BCEF95
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BCF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BCF0F2
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BCF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00BCF3F3
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BC37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BC37EF
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BC3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BC3B12
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BCBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00BCBCBC
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0007445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0007445A
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0007C6D1 FindFirstFileW,FindClose,	2_2_0007C6D1
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0007C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0007C75C
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0007EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0007EF95
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0007F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0007F0F2
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0007F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0007F3F3
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_000737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_000737EF
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00073B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00073B12
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0007BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0007BCBC

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00B649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B649A0

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.2097303691.0000000001027000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: wscript.exe, 00000004.00000002.992393346.0000024E02D55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}N
Source: RegSvcs.exe, 00000006.00000002.2097581499.0000000001087000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\jVE64QGXtK.exe	API call chain: ExitProcess graph end node			graph_0-104378
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	API call chain: ExitProcess graph end node			graph_0-104477

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00BD3F09 BlockInput,

0_2_00BD3F09

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00B63B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B63B3A

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00B95A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00B95A7C

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00B64B37 LoadLibraryA,GetProcAddress,

0_2_00B64B37

Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_01623560 mov eax, dword ptr fs:[00000030h]	0_2_01623560
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_01623500 mov eax, dword ptr fs:[00000030h]	0_2_01623500
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_01621EA0 mov eax, dword ptr fs:[00000030h]	0_2_01621EA0
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_03B13500 mov eax, dword ptr fs:[00000030h]	2_2_03B13500
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_03B13560 mov eax, dword ptr fs:[00000030h]	2_2_03B13560
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_03B11EA0 mov eax, dword ptr fs:[00000030h]	2_2_03B11EA0
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 5_2_01763560 mov eax, dword ptr fs:[00000030h]	5_2_01763560
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 5_2_01761EA0 mov eax, dword ptr fs:[00000030h]	5_2_01761EA0
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 5_2_01763500 mov eax, dword ptr fs:[00000030h]	5_2_01763500

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00BB80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00BB80A9

Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B8A124 SetUnhandledExceptionFilter,	0_2_00B8A124
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00B8A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B8A155
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0003A124 SetUnhandledExceptionFilter,	2_2_0003A124
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_0003A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0003A155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 2.2.windigo.exe.3e70000.1.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 2.2.windigo.exe.3e70000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 2.2.windigo.exe.3e70000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C0E008			Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: ADD008			Jump to behavior

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00BB87B1 LogonUserW,

0_2_00BB87B1

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00B63B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B63B3A

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00B648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00B648D7

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00BC4C27 mouse_event,

0_2_00BC4C27

Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\jVE64QGXtK.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\alarmingness\windigo.exe "C:\Users\user\AppData\Local\alarmingness\windigo.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\alarmingness\windigo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00BB7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00BB7CAF

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00BB874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00BB874B

Source: jVE64QGXtK.exe, windigo.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: jVE64QGXtK.exe, windigo.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00B8862B cpuid

0_2_00B8862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00B94E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B94E87

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00BA1E06 GetUserNameW,

0_2_00BA1E06

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00B93F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00B93F3A

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Code function: 0_2_00B649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B649A0

Source: C:\Users\user\Desktop\jVE64QGXtK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 5.2.windigo.exe.1770000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.windigo.exe.3e70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.windigo.exe.3e70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.windigo.exe.1770000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2097081196.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: windigo.exe PID: 5320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windigo.exe PID: 5924, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 5.2.windigo.exe.1770000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.windigo.exe.3e70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.windigo.exe.3e70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.windigo.exe.1770000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2097081196.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: windigo.exe PID: 5320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windigo.exe PID: 5924, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.windigo.exe.1770000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.windigo.exe.3e70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.windigo.exe.3e70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.windigo.exe.1770000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2097081196.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: windigo.exe PID: 5320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windigo.exe PID: 5924, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: windigo.exe	Binary or memory string: WIN_81
Source: windigo.exe	Binary or memory string: WIN_XP
Source: windigo.exe	Binary or memory string: WIN_XPe
Source: windigo.exe	Binary or memory string: WIN_VISTA
Source: windigo.exe	Binary or memory string: WIN_7
Source: windigo.exe	Binary or memory string: WIN_8
Source: windigo.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 5.2.windigo.exe.1770000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.windigo.exe.3e70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.windigo.exe.3e70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.windigo.exe.1770000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2099184223.0000000002D96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2099105602.0000000003006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2097081196.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: windigo.exe PID: 5320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windigo.exe PID: 5924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6072, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 5.2.windigo.exe.1770000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.windigo.exe.3e70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.windigo.exe.3e70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.windigo.exe.1770000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2097081196.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: windigo.exe PID: 5320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windigo.exe PID: 5924, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 5.2.windigo.exe.1770000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.windigo.exe.3e70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.windigo.exe.3e70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.windigo.exe.1770000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2097081196.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: windigo.exe PID: 5320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windigo.exe PID: 5924, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.windigo.exe.1770000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.windigo.exe.3e70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.windigo.exe.3e70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.windigo.exe.1770000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.875548481.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1014117473.0000000001770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2097081196.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: windigo.exe PID: 5320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windigo.exe PID: 5924, type: MEMORYSTR

Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BD6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00BD6283
Source: C:\Users\user\Desktop\jVE64QGXtK.exe	Code function: 0_2_00BD6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00BD6747
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00086283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_00086283
Source: C:\Users\user\AppData\Local\alarmingness\windigo.exe	Code function: 2_2_00086747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00086747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	11 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	121 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	231 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report jVE64QGXtK.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
jVE64QGXtK.exe