Edit tour

Windows Analysis Report
77MmBkD2PE.exe

Overview

General Information

Sample name:	77MmBkD2PE.exe renamed because original name is a hash value
Original sample name:	5d08825ce9fff8b20e8d087ae31fb4f6ef329df7214501f31f25ff6cfa736301.exe
Analysis ID:	1634821
MD5:	3c207954b7496cf1f66ad3ecc77b0254
SHA1:	c96a34ec4929eb463f93d8315e2b819adfa36da6
SHA256:	5d08825ce9fff8b20e8d087ae31fb4f6ef329df7214501f31f25ff6cfa736301
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

Drops VBS files to the startup folder

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

77MmBkD2PE.exe (PID: 6596 cmdline: "C:\Users\user\Desktop\77MmBkD2PE.exe" MD5: 3C207954B7496CF1F66AD3ECC77B0254)

InstallUtil.exe (PID: 772 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

wscript.exe (PID: 2044 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CreationOptions.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

CreationOptions.exe (PID: 6796 cmdline: "C:\Users\user\AppData\Roaming\CreationOptions.exe" MD5: 3C207954B7496CF1F66AD3ECC77B0254)

InstallUtil.exe (PID: 520 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1456849218.0000000004194000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.1456849218.0000000004194000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1456849218.0000000004194000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000003.00000002.1456849218.0000000004194000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.1456849218.0000000004194000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf5c7:$a1: get_encryptedPassword 0xf8ef:$a2: get_encryptedUsername 0xf362:$a3: get_timePasswordChanged 0xf483:$a4: get_passwordField 0xf5dd:$a5: set_encryptedPassword 0x10f39:$a7: get_logins 0x10bea:$a8: GetOutlookPasswords 0x109dc:$a9: StartKeylogger 0x10e89:$a10: KeyLoggerEventArgs 0x10a39:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1323280821.0000000003999000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1323280821.0000000003999000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1323280821.0000000003999000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1323280821.0000000003999000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1323280821.0000000003999000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf507:$a1: get_encryptedPassword 0xf82f:$a2: get_encryptedUsername 0xf2a2:$a3: get_timePasswordChanged 0xf3c3:$a4: get_passwordField 0xf51d:$a5: set_encryptedPassword 0x10e79:$a7: get_logins 0x10b2a:$a8: GetOutlookPasswords 0x1091c:$a9: StartKeylogger 0x10dc9:$a10: KeyLoggerEventArgs 0x10979:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.2537851234.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000001.00000002.2537851234.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000003.00000002.1456849218.0000000003F99000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1325666594.0000000005360000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.2540763509.0000000002B46000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2540763509.0000000002B46000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.1439801375.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.2541132083.000000000336B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2541132083.000000000336B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1305238778.0000000002991000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1323280821.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1323280821.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1323280821.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1323280821.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1323280821.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2299a7:$a1: get_encryptedPassword 0x229ccf:$a2: get_encryptedUsername 0x229742:$a3: get_timePasswordChanged 0x229863:$a4: get_passwordField 0x2299bd:$a5: set_encryptedPassword 0x22b319:$a7: get_logins 0x22afca:$a8: GetOutlookPasswords 0x22adbc:$a9: StartKeylogger 0x22b269:$a10: KeyLoggerEventArgs 0x22ae19:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: 77MmBkD2PE.exe PID: 6596	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: 77MmBkD2PE.exe PID: 6596	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: 77MmBkD2PE.exe PID: 6596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 77MmBkD2PE.exe PID: 6596	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 77MmBkD2PE.exe PID: 6596	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: 77MmBkD2PE.exe PID: 6596	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 77MmBkD2PE.exe PID: 6596	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1346:$a1: get_encryptedPassword 0x15e1ea:$a1: get_encryptedPassword 0x165f:$a2: get_encryptedUsername 0x15e3c0:$a2: get_encryptedUsername 0x10f5:$a3: get_timePasswordChanged 0x15dfd6:$a3: get_timePasswordChanged 0x1216:$a4: get_passwordField 0x15e0eb:$a4: get_passwordField 0x135c:$a5: set_encryptedPassword 0x15e200:$a5: set_encryptedPassword 0x2c5f:$a7: get_logins 0x15f1f4:$a7: get_logins 0x2910:$a8: GetOutlookPasswords 0x15ef60:$a8: GetOutlookPasswords 0x2702:$a9: StartKeylogger 0x15edea:$a9: StartKeylogger 0x2baf:$a10: KeyLoggerEventArgs 0x15f157:$a10: KeyLoggerEventArgs 0x275f:$a11: KeyLoggerEventArgsEventHandler 0x15ee47:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: InstallUtil.exe PID: 772	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 772	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: InstallUtil.exe PID: 772	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: CreationOptions.exe PID: 6796	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: CreationOptions.exe PID: 6796	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: CreationOptions.exe PID: 6796	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CreationOptions.exe PID: 6796	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: CreationOptions.exe PID: 6796	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: CreationOptions.exe PID: 6796	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: CreationOptions.exe PID: 6796	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1be0:$a1: get_encryptedPassword 0x1ef9:$a2: get_encryptedUsername 0x198f:$a3: get_timePasswordChanged 0x1ab0:$a4: get_passwordField 0x1bf6:$a5: set_encryptedPassword 0x34f9:$a7: get_logins 0x31aa:$a8: GetOutlookPasswords 0x2f9c:$a9: StartKeylogger 0x3449:$a10: KeyLoggerEventArgs 0x2ff9:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: InstallUtil.exe PID: 520	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 520	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 39 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.77MmBkD2PE.exe.5360000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.77MmBkD2PE.exe.5360000.8.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.77MmBkD2PE.exe.3cf17f0.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.77MmBkD2PE.exe.3cf17f0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.77MmBkD2PE.exe.3cf17f0.3.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.77MmBkD2PE.exe.3cf17f0.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.77MmBkD2PE.exe.3cf17f0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x105cc:$a9: StartKeylogger 0x10a79:$a10: KeyLoggerEventArgs 0x10629:$a11: KeyLoggerEventArgsEventHandler
0.2.77MmBkD2PE.exe.3cf17f0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14129:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13627:$a3: \Google\Chrome\User Data\Default\Login Data 0x13935:$a4: \Orbitum\User Data\Default\Login Data 0x1472d:$a5: \Kometa\User Data\Default\Login Data
3.2.CreationOptions.exe.3f99550.6.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.CreationOptions.exe.3f99550.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.77MmBkD2PE.exe.3cf17f0.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.77MmBkD2PE.exe.3cf17f0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.77MmBkD2PE.exe.3cf17f0.3.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.77MmBkD2PE.exe.3cf17f0.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.77MmBkD2PE.exe.3cf17f0.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3b7:$a1: get_encryptedPassword 0xd6df:$a2: get_encryptedUsername 0xd152:$a3: get_timePasswordChanged 0xd273:$a4: get_passwordField 0xd3cd:$a5: set_encryptedPassword 0xed29:$a7: get_logins 0xe9da:$a8: GetOutlookPasswords 0xe7cc:$a9: StartKeylogger 0xec79:$a10: KeyLoggerEventArgs 0xe829:$a11: KeyLoggerEventArgsEventHandler
0.2.77MmBkD2PE.exe.3cf17f0.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12329:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11827:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b35:$a4: \Orbitum\User Data\Default\Login Data 0x1292d:$a5: \Kometa\User Data\Default\Login Data
0.2.77MmBkD2PE.exe.3b25fd0.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.77MmBkD2PE.exe.3b25fd0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.77MmBkD2PE.exe.3b25fd0.4.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.77MmBkD2PE.exe.3b25fd0.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.77MmBkD2PE.exe.3b25fd0.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1da9d7:$a1: get_encryptedPassword 0x1dacff:$a2: get_encryptedUsername 0x1da772:$a3: get_timePasswordChanged 0x1da893:$a4: get_passwordField 0x1da9ed:$a5: set_encryptedPassword 0x1dc349:$a7: get_logins 0x1dbffa:$a8: GetOutlookPasswords 0x1dbdec:$a9: StartKeylogger 0x1dc299:$a10: KeyLoggerEventArgs 0x1dbe49:$a11: KeyLoggerEventArgsEventHandler
0.2.77MmBkD2PE.exe.3ad77b0.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.77MmBkD2PE.exe.3ad77b0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.77MmBkD2PE.exe.3ad77b0.0.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.77MmBkD2PE.exe.3ad77b0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.77MmBkD2PE.exe.3ad77b0.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2291f7:$a1: get_encryptedPassword 0x22951f:$a2: get_encryptedUsername 0x228f92:$a3: get_timePasswordChanged 0x2290b3:$a4: get_passwordField 0x22920d:$a5: set_encryptedPassword 0x22ab69:$a7: get_logins 0x22a81a:$a8: GetOutlookPasswords 0x22a60c:$a9: StartKeylogger 0x22aab9:$a10: KeyLoggerEventArgs 0x22a669:$a11: KeyLoggerEventArgsEventHandler
Click to see the 21 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CreationOptions.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CreationOptions.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CreationOptions.vbs" , ProcessId: 2044, ProcessName: wscript.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 209.182.213.250, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 772, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49711

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CreationOptions.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CreationOptions.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CreationOptions.vbs" , ProcessId: 2044, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\77MmBkD2PE.exe, ProcessId: 6596, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CreationOptions.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T05:16:33.863818+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49709	132.226.8.169	80	TCP
2025-03-11T05:16:42.004465+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49709	132.226.8.169	80	TCP
2025-03-11T05:16:47.020094+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49712	132.226.8.169	80	TCP
2025-03-11T05:16:55.879466+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49712	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 77MmBkD2PE.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\CreationOptions.exe

Avira: detection malicious, Label: TR/AD.SnakeStealer.fivjq

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\CreationOptions.exe

ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: 77MmBkD2PE.exe	Virustotal: Detection: 70%			Perma Link
Source: 77MmBkD2PE.exe	ReversingLabs: Detection: 71%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 77MmBkD2PE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49710 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49713 version: TLS 1.0

Source: 77MmBkD2PE.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp, 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, 77MmBkD2PE.exe, 00000000.00000002.1329629126.0000000005620000.00000004.08000000.00040000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.000000000412F000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.00000000040B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp, 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, 77MmBkD2PE.exe, 00000000.00000002.1329629126.0000000005620000.00000004.08000000.00040000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.000000000412F000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.00000000040B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 77MmBkD2PE.exe, 00000000.00000002.1327248265.0000000005410000.00000004.08000000.00040000.00000000.sdmp, 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000004068000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 77MmBkD2PE.exe, 00000000.00000002.1327248265.0000000005410000.00000004.08000000.00040000.00000000.sdmp, 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000004068000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_01171028
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Code function: 4x nop then jmp 053CD213h	0_2_053CCFE8
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Code function: 4x nop then jmp 053CD213h	0_2_053CCFD9
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Code function: 4x nop then jmp 053CCC43h	0_2_053CC870
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Code function: 4x nop then jmp 053CCC43h	0_2_053CC880
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Code function: 4x nop then jmp 055A3525h	0_2_055A31F8
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Code function: 4x nop then jmp 055A3525h	0_2_055A31E8
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Code function: 4x nop then jmp 055A3525h	0_2_055A32D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 014B9741h	1_2_014B9490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 014B9E6Ah	1_2_014B9A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 014B9E6Ah	1_2_014B9D97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05845E15h	1_2_05845AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05848830h	1_2_05848588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05845079h	1_2_05844DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 058447C9h	1_2_05844520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05847F80h	1_2_05847CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 058476D0h	1_2_05847428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0584F700h	1_2_0584F458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05847278h	1_2_05846FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0584E9F8h	1_2_0584E750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05845929h	1_2_05845680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 058483D8h	1_2_05848130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05844C21h	1_2_05844978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05847B28h	1_2_05847880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0584FB58h	1_2_0584F8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0584F2A8h	1_2_0584F000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0584EE50h	1_2_0584EBA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0584E5A0h	1_2_0584E2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 058454D1h	1_2_05845228
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	3_2_013D1028
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 4x nop then jmp 0591D213h	3_2_0591CFD9
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 4x nop then jmp 0591D213h	3_2_0591CFE8
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 4x nop then jmp 0591CC43h	3_2_0591C880
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 4x nop then jmp 0591CC43h	3_2_0591C870
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 4x nop then jmp 05AE32F0h	3_2_05AE3238
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 4x nop then jmp 05AE32F0h	3_2_05AE3230
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 4x nop then jmp 05AF3525h	3_2_05AF31E8
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 4x nop then jmp 05AF3525h	3_2_05AF31F8
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 4x nop then jmp 05AF3525h	3_2_05AF32D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 00FE9731h	4_2_00FE9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 00FE9E5Ah	4_2_00FE9A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 00FE9E5Ah	4_2_00FE9A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 00FE9E5Ah	4_2_00FE9D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then push 00000000h	4_2_055794F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 055762B5h	4_2_055760D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05576C3Fh	4_2_055760D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 055718A0h	4_2_055715F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05573840h	4_2_05573598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 055726E0h	4_2_05572438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05570740h	4_2_05570498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 055749A0h	4_2_055746F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 055733E8h	4_2_05573140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_055751E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05571448h	4_2_055711A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 055702E8h	4_2_05570040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then push 00000000h	4_2_0557A04E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_0557A306
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05574548h	4_2_055742A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05570FF0h	4_2_05570D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05572F90h	4_2_05572CE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 055740F0h	4_2_05573E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05572152h	4_2_05571EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05573C98h	4_2_055739F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_055759FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_0557581B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05570B98h	4_2_055708F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05572B38h	4_2_05572890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05574DF8h	4_2_05574B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05571CF8h	4_2_05571A50

Source: global traffic

TCP traffic: 192.168.2.5:49711 -> 209.182.213.250:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 132.226.8.169 132.226.8.169

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49712 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49709 -> 132.226.8.169:80

Source: global traffic

TCP traffic: 192.168.2.5:49711 -> 209.182.213.250:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49710 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49713 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: mail.ncsp.pk

Source: InstallUtil.exe, 00000001.00000002.2541132083.0000000003295000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.0000000002A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000001.00000002.2541132083.0000000003295000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.0000000002A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: InstallUtil.exe, 00000001.00000002.2541132083.000000000336B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2541132083.0000000003273000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2541132083.0000000003295000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.0000000002A64000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.0000000002B46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000001.00000002.2541132083.0000000003273000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2541132083.0000000003221000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: InstallUtil.exe, 00000004.00000002.2546788042.0000000005FB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/YIAN7
Source: InstallUtil.exe, 00000001.00000002.2541132083.000000000336B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2541132083.0000000003295000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.0000000002B46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003999000.00000004.00000800.00020000.00000000.sdmp, 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2537851234.0000000000413000.00000040.00000400.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000004194000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: InstallUtil.exe, 00000001.00000002.2541132083.0000000003295000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.0000000002A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: InstallUtil.exe, 00000001.00000002.2541132083.000000000336B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.0000000002B46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.ncsp.pk
Source: InstallUtil.exe, 00000001.00000002.2541132083.000000000336B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.0000000002B46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.ncsp.pkd
Source: InstallUtil.exe, 00000001.00000002.2541132083.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: InstallUtil.exe, 00000001.00000002.2541132083.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: 77MmBkD2PE.exe, 00000000.00000002.1305238778.0000000002991000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2541132083.0000000003273000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1439801375.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000001.00000002.2541132083.000000000336B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.0000000002B46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003999000.00000004.00000800.00020000.00000000.sdmp, 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2537851234.0000000000413000.00000040.00000400.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000004194000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: 77MmBkD2PE.exe, 00000000.00000002.1327248265.0000000005410000.00000004.08000000.00040000.00000000.sdmp, 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000004068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 77MmBkD2PE.exe, 00000000.00000002.1327248265.0000000005410000.00000004.08000000.00040000.00000000.sdmp, 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, 77MmBkD2PE.exe, 00000000.00000002.1323280821.00000000039FE000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000004068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 77MmBkD2PE.exe, 00000000.00000002.1327248265.0000000005410000.00000004.08000000.00040000.00000000.sdmp, 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000004068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000001.00000002.2541132083.0000000003295000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.0000000002A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003999000.00000004.00000800.00020000.00000000.sdmp, 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2537851234.0000000000413000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2541132083.0000000003295000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000004194000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.0000000002A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 00000001.00000002.2541132083.0000000003295000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.0000000002A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: InstallUtil.exe, 00000001.00000002.2541132083.0000000003295000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2540763509.0000000002A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: 77MmBkD2PE.exe, 00000000.00000002.1327248265.0000000005410000.00000004.08000000.00040000.00000000.sdmp, 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000004068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 77MmBkD2PE.exe, 00000000.00000002.1327248265.0000000005410000.00000004.08000000.00040000.00000000.sdmp, 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, 77MmBkD2PE.exe, 00000000.00000002.1305238778.0000000002991000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000004068000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1439801375.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 77MmBkD2PE.exe, 00000000.00000002.1327248265.0000000005410000.00000004.08000000.00040000.00000000.sdmp, 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, CreationOptions.exe, 00000003.00000002.1456849218.0000000004068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: CreationOptions.exe.0.dr	String found in binary or memory: https://tools.ietf.org/html/rfc4253#section-4.2

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.77MmBkD2PE.exe.3cf17f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.77MmBkD2PE.exe.3cf17f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.77MmBkD2PE.exe.3cf17f0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.77MmBkD2PE.exe.3cf17f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.77MmBkD2PE.exe.3b25fd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.77MmBkD2PE.exe.3ad77b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.1456849218.0000000004194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1323280821.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1323280821.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 77MmBkD2PE.exe PID: 6596, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: CreationOptions.exe PID: 6796, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 3_2_05AE88B8 NtResumeThread,	3_2_05AE88B8
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 3_2_05AE4B00 NtProtectVirtualMemory,	3_2_05AE4B00
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 3_2_05AE88B0 NtResumeThread,	3_2_05AE88B0
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 3_2_05AE4AF9 NtProtectVirtualMemory,	3_2_05AE4AF9

Source: 77MmBkD2PE.exe, 00000000.00000002.1305238778.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs 77MmBkD2PE.exe
Source: 77MmBkD2PE.exe, 00000000.00000002.1303220233.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 77MmBkD2PE.exe
Source: 77MmBkD2PE.exe, 00000000.00000002.1324583660.0000000004EE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAjomvame.dll" vs 77MmBkD2PE.exe
Source: 77MmBkD2PE.exe, 00000000.00000002.1327248265.0000000005410000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 77MmBkD2PE.exe
Source: 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 77MmBkD2PE.exe
Source: 77MmBkD2PE.exe, 00000000.00000000.1289794342.000000000064E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRFQ-3603.exe2 vs 77MmBkD2PE.exe
Source: 77MmBkD2PE.exe, 00000000.00000002.1305238778.0000000002991000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 77MmBkD2PE.exe
Source: 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 77MmBkD2PE.exe
Source: 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRFQ-3603.exe2 vs 77MmBkD2PE.exe
Source: 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs 77MmBkD2PE.exe
Source: 77MmBkD2PE.exe, 00000000.00000002.1323280821.00000000039FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 77MmBkD2PE.exe
Source: 77MmBkD2PE.exe, 00000000.00000002.1323280821.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 77MmBkD2PE.exe
Source: 77MmBkD2PE.exe, 00000000.00000002.1329629126.0000000005620000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 77MmBkD2PE.exe
Source: 77MmBkD2PE.exe	Binary or memory string: OriginalFilenameRFQ-3603.exe2 vs 77MmBkD2PE.exe

Source: 77MmBkD2PE.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: CreationOptions.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.77MmBkD2PE.exe.3a87790.1.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.77MmBkD2PE.exe.3a87790.1.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.77MmBkD2PE.exe.3a87790.1.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.77MmBkD2PE.exe.3a87790.1.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.77MmBkD2PE.exe.3a87790.1.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.77MmBkD2PE.exe.3a87790.1.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.77MmBkD2PE.exe.3a87790.1.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.77MmBkD2PE.exe.3a87790.1.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.77MmBkD2PE.exe.3a87790.1.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.77MmBkD2PE.exe.3a87790.1.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: unknown	Process created: C:\Users\user\Desktop\77MmBkD2PE.exe "C:\Users\user\Desktop\77MmBkD2PE.exe"
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CreationOptions.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\CreationOptions.exe "C:\Users\user\AppData\Roaming\CreationOptions.exe"
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\CreationOptions.exe "C:\Users\user\AppData\Roaming\CreationOptions.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior

Source: 0.2.77MmBkD2PE.exe.3a87790.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.77MmBkD2PE.exe.3a87790.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.77MmBkD2PE.exe.3a87790.1.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Source: Yara match	File source: 0.2.77MmBkD2PE.exe.5360000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.77MmBkD2PE.exe.5360000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.CreationOptions.exe.3f99550.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.CreationOptions.exe.3f99550.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1456849218.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1325666594.0000000005360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1439801375.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1305238778.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 77MmBkD2PE.exe PID: 6596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CreationOptions.exe PID: 6796, type: MEMORYSTR

Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Code function: 0_2_01174AC7 push ebx; iretd	0_2_01174ACA
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Code function: 0_2_0520BB07 push dword ptr [esp+ebp-75h]; iretd	0_2_0520BACB
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Code function: 0_2_05202A6A push esp; retf	0_2_05202A71
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Code function: 0_2_052199E2 pushad ; iretd	0_2_052199E5
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Code function: 0_2_055A5FE2 pushad ; iretd	0_2_055A5FE9
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Code function: 0_2_0560174B push ecx; iretd	0_2_0560174C
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 3_2_013D4AC7 push ebx; iretd	3_2_013D4ACA
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 3_2_0585BB07 push dword ptr [esp+ebp-75h]; iretd	3_2_0585BACB
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 3_2_05852A6B push esp; retf	3_2_05852A71
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 3_2_058699E2 pushad ; iretd	3_2_058699E5
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 3_2_05864502 push ebx; iretd	3_2_0586450F
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 3_2_05864806 push eax; iretd	3_2_0586480C
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 3_2_058642D4 push ebp; iretd	3_2_058642DA
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 3_2_05864630 push edx; iretd	3_2_05864636
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 3_2_05AE76AC push esp; iretd	3_2_05AE76D9
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 3_2_05AFCFE6 push ebp; retf	3_2_05AFCFF5
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 3_2_05AF5FE2 pushad ; iretd	3_2_05AF5FE9
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Code function: 3_2_05B5174B push ecx; iretd	3_2_05B5174C

Source: 77MmBkD2PE.exe	Static PE information: section name: .text entropy: 7.513228807095967
Source: CreationOptions.exe.0.dr	Static PE information: section name: .text entropy: 7.513228807095967

Source: 0.2.77MmBkD2PE.exe.4ee0000.6.raw.unpack, AR3JAbrt7G1Dw0ui7Bi.cs	High entropy of concatenated method names: 'hKYrE6jpKJ', 'RBLra7g4vF', 'SGRr3dra8W', 'mGjrg73Eu1', 'DWkrwSDHYT', 'lcKrGA3DsG', 'hDArnaBE8K', 'qYVr0GhkHR', 'iR7rRXZ1AF', 'O0TrOJkit6'
Source: 0.2.77MmBkD2PE.exe.4ee0000.6.raw.unpack, ugc0Hypp4ktvnHw4yg4.cs	High entropy of concatenated method names: 'qt3p8lekCf', 'qUWpZHTdMW', 'g4cptbROnM', 'IiJpsITeQK', 'ULFpE9ykwB', 'gExpN3l6VA', 'on2y86P7F1bDWiPbaGy', 'gBSfFiPuvlIE1RMhgXr'

Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Memory allocated: 1170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Memory allocated: 4990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 14B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 5220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Memory allocated: 13D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Memory allocated: 2F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 29F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 49F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 1869	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 487	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 1904	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1520	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1520	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6560	Thread sleep count: 905 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1520	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1520	Thread sleep time: -99749s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1520	Thread sleep time: -99639s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1520	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6560	Thread sleep count: 1869 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1520	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1520	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1520	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1520	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1520	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1520	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1520	Thread sleep time: -98766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1520	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1520	Thread sleep time: -98516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2052	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2052	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2052	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3384	Thread sleep count: 487 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3384	Thread sleep count: 1904 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2052	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2052	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2052	Thread sleep time: -99527s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2052	Thread sleep time: -99287s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2052	Thread sleep time: -99155s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2052	Thread sleep time: -99047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2052	Thread sleep time: -98867s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2052	Thread sleep time: -98750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2052	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2052	Thread sleep time: -98516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2052	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: InstallUtil.exe, 00000004.00000002.2538794584.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: CreationOptions.exe, 00000003.00000002.1439801375.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: CreationOptions.exe, 00000003.00000002.1439801375.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: InstallUtil.exe, 00000001.00000002.2539301708.0000000001606000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wscript.exe, 00000002.00000002.1423940229.000002345F1A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]G}w

Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 41A000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 41C000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 9AC008	Jump to behavior

Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Queries volume information: C:\Users\user\Desktop\77MmBkD2PE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\77MmBkD2PE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Queries volume information: C:\Users\user\AppData\Roaming\CreationOptions.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CreationOptions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 77MmBkD2PE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
77MmBkD2PE.exe

Source: Yara match	File source: 0.2.77MmBkD2PE.exe.3cf17f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.77MmBkD2PE.exe.3cf17f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.77MmBkD2PE.exe.3b25fd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.77MmBkD2PE.exe.3ad77b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1456849218.0000000004194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1323280821.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2537851234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2537851234.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1323280821.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 77MmBkD2PE.exe PID: 6596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CreationOptions.exe PID: 6796, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	1 Scheduled Task/Job	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	211 Process Injection	3 Obfuscated Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Scheduled Task/Job	12 Software Packing	Security Account Manager	21 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery