Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://westmaidentrue.click/mirage/magestique

Overview

General Information

Sample URL:https://westmaidentrue.click/mirage/magestique
Analysis ID:1636623
Infos:

Detection

RedLine
Score:60
Range:0 - 100
Confidence:100%

Signatures

Yara detected RedLine Stealer
Found direct / indirect Syscall (likely to bypass EDR)
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Found dropped PE file which has not been started or loaded
Queries the volume information (name, serial number etc) of a device
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 4660 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 6648 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1960,i,14732196840622358889,9722313244404987971,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1580 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • chrome.exe (PID: 6308 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://westmaidentrue.click/mirage/magestique" MD5: E81F54E6C1129887AEA47E7D092680BF)
  • rundll32.exe (PID: 1560 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • zkwindow.exe (PID: 3832 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exe" MD5: 7700F61BECA60DB53658C52A05B01941)
  • 7zG.exe (PID: 3620 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Downloads\Stars_pack_version_21.3.1\" -spe -an -ai#7zMap13774:114:7zEvent31951 MD5: 50F289DF0C19484E970849AAC4E6F977)
  • zkwindow.exe (PID: 6020 cmdline: "C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe" MD5: 7700F61BECA60DB53658C52A05B01941)
    • cmd.exe (PID: 4832 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 1660 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.2319472527.00000000056A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000013.00000002.2319472527.00000000056A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results
      Source: C:\Program Files\7-Zip\7zG.exeFile opened: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcr80.dll
      Source: unknownHTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49728 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49727 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49729 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49726 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49725 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 184.86.251.25:443 -> 192.168.2.17:49740 version: TLS 1.2
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
      Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
      Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
      Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
      Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
      Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
      Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
      Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
      Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
      Source: unknownTCP traffic detected without corresponding DNS query: 52.123.128.14
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 52.123.128.14
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
      Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
      Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
      Source: unknownTCP traffic detected without corresponding DNS query: 52.123.128.14
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 52.123.128.14
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
      Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
      Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 52.123.128.14
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
      Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
      Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
      Source: unknownTCP traffic detected without corresponding DNS query: 52.123.128.14
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
      Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
      Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
      Source: unknownTCP traffic detected without corresponding DNS query: 52.123.128.14
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.131
      Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.131
      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.60
      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.60
      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.60
      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.60
      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.60
      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.60
      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.60
      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.60
      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.60
      Source: global trafficHTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
      Source: global trafficHTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
      Source: global trafficHTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
      Source: global trafficHTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
      Source: global trafficHTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
      Source: global trafficDNS traffic detected: DNS query: westmaidentrue.click
      Source: global trafficDNS traffic detected: DNS query: www.google.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
      Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
      Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
      Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
      Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
      Source: unknownHTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49728 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49727 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49729 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49726 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49725 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 184.86.251.25:443 -> 192.168.2.17:49740 version: TLS 1.2
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir4660_2138186876
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir4660_2138186876
      Source: classification engineClassification label: mal60.troj.evad.win@32/14@4/102
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\d5d6b308-bfbb-4dd4-bf8b-ff8f825d0b61.tmp
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeFile created: C:\Users\user\AppData\Local\Temp\c149800b
      Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Users\desktop.ini
      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1960,i,14732196840622358889,9722313244404987971,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1580 /prefetch:3
      Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://westmaidentrue.click/mirage/magestique"
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1960,i,14732196840622358889,9722313244404987971,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1580 /prefetch:3
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exe "C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exe"
      Source: unknownProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Downloads\Stars_pack_version_21.3.1\" -spe -an -ai#7zMap13774:114:7zEvent31951
      Source: unknownProcess created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe "C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe"
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      Source: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exeSection loaded: apphelp.dll
      Source: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exeSection loaded: qtcore4.dll
      Source: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exeSection loaded: qtgui4.dll
      Source: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exeSection loaded: qtnetwork4.dll
      Source: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exeSection loaded: comn.dll
      Source: C:\Program Files\7-Zip\7zG.exeSection loaded: kernel.appcore.dll
      Source: C:\Program Files\7-Zip\7zG.exeSection loaded: uxtheme.dll
      Source: C:\Program Files\7-Zip\7zG.exeSection loaded: cryptbase.dll
      Source: C:\Program Files\7-Zip\7zG.exeSection loaded: explorerframe.dll
      Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textshaping.dll
      Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textinputframework.dll
      Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coreuicomponents.dll
      Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coremessaging.dll
      Source: C:\Program Files\7-Zip\7zG.exeSection loaded: ntmarta.dll
      Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coremessaging.dll
      Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
      Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
      Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: apphelp.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: qtcore4.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: qtgui4.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: qtnetwork4.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: comn.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: winmm.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: dnsapi.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: libssl-1_1.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: userenv.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: netapi32.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: libcrypto-1_1.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: netutils.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: samcli.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: dbghelp.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: pla.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: pdh.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: tdh.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: cabinet.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: wevtapi.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: shdocvw.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: ntmarta.dll
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: winhttp.dll
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dll
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dll
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dll
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dll
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dll
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: linkinfo.dll
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntshrui.dll
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cscapi.dll
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bitsproxy.dll
      Source: C:\Program Files\7-Zip\7zG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files\7-Zip\7zG.exeFile opened: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcr80.dll
      Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeJump to dropped file
      Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcp80.dllJump to dropped file
      Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\Comn.dllJump to dropped file
      Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtCore4.dllJump to dropped file
      Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libcrypto-1_1.dllJump to dropped file
      Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtGui4.dllJump to dropped file
      Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libssl-1_1.dllJump to dropped file
      Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtNetwork4.dllJump to dropped file
      Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcr80.dllJump to dropped file
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeAPI/Special instruction interceptor: Address: 6CB27C44
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeAPI/Special instruction interceptor: Address: 6CB27945
      Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 6CB23B54
      Source: C:\Program Files\7-Zip\7zG.exeDropped PE file which has not been started: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcp80.dllJump to dropped file
      Source: C:\Program Files\7-Zip\7zG.exeDropped PE file which has not been started: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libcrypto-1_1.dllJump to dropped file
      Source: C:\Program Files\7-Zip\7zG.exeDropped PE file which has not been started: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libssl-1_1.dllJump to dropped file
      Source: C:\Program Files\7-Zip\7zG.exeDropped PE file which has not been started: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcr80.dllJump to dropped file
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeProcess information queried: ProcessInformation

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Found direct / indirect Syscall (likely to bypass EDR)
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeNtProtectVirtualMemory: Direct from: 0x77DF7B2E
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeNtQueryInformationToken: Direct from: 0x6500399D
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeNtSetSecurityObject: Direct from: 0x77DF63E1
      Maps a DLL or memory area into another process
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
      Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation

      Stealing of Sensitive Information

      barindex
      Yara detected RedLine Stealer
      Source: Yara matchFile source: 00000013.00000002.2319472527.00000000056A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.2319472527.00000000056A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected RedLine Stealer
      Source: Yara matchFile source: 00000013.00000002.2319472527.00000000056A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading      		111
      Process Injection      		11
      Masquerading      		OS Credential Dumping1
      Security Software Discovery      		Remote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      Abuse Elevation Control Mechanism      		111
      Process Injection      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      DLL Side-Loading      		1
      Abuse Elevation Control Mechanism      		Security Account Manager1
      File and Directory Discovery      		SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Rundll32      		NTDS111
      System Information Discovery      		Distributed Component Object ModelInput Capture3
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      File Deletion      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      https://westmaidentrue.click/mirage/magestique0%Avira URL Cloudsafe

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\Comn.dll0%ReversingLabs
      C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtCore4.dll0%ReversingLabs
      C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtGui4.dll11%ReversingLabs
      C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtNetwork4.dll0%ReversingLabs
      C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libcrypto-1_1.dll0%ReversingLabs
      C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libssl-1_1.dll0%ReversingLabs
      C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcp80.dll0%ReversingLabs
      C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcr80.dll0%ReversingLabs
      C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://otelrules.svc.static.microsoft/rules/rule120128v0s19.xml0%Avira URL Cloudsafe
      https://otelrules.svc.static.microsoft/rules/rule702450v1s19.xml0%Avira URL Cloudsafe
      https://otelrules.svc.static.microsoft/rules/rule701100v1s19.xml0%Avira URL Cloudsafe
      https://otelrules.svc.static.microsoft/rules/rule701101v1s19.xml0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      westmaidentrue.click
      		104.21.16.1
      		truefalse
        		unknown
        www.google.com
        		142.250.181.228
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://otelrules.svc.static.microsoft/rules/rule702450v1s19.xmlfalse
          • Avira URL Cloud: safe
          		unknown
          https://otelrules.svc.static.microsoft/rules/rule701100v1s19.xmlfalse
          • Avira URL Cloud: safe
          		unknown
          https://otelrules.svc.static.microsoft/rules/rule120128v0s19.xmlfalse
          • Avira URL Cloud: safe
          		unknown
          https://otelrules.svc.static.microsoft/rules/rule120603v8s19.xmlfalse
            		high
            https://otelrules.svc.static.microsoft/rules/rule701101v1s19.xmlfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            142.250.185.99
            		unknownUnited States
            		15169GOOGLEUSfalse
            142.250.110.84
            		unknownUnited States
            		15169GOOGLEUSfalse
            142.250.181.238
            		unknownUnited States
            		15169GOOGLEUSfalse
            104.21.16.1
            		westmaidentrue.clickUnited States
            		13335CLOUDFLARENETUSfalse
            142.250.185.206
            		unknownUnited States
            		15169GOOGLEUSfalse
            1.1.1.1
            		unknownAustralia
            		13335CLOUDFLARENETUSfalse
            142.250.181.228
            		www.google.comUnited States
            		15169GOOGLEUSfalse
            142.250.186.142
            		unknownUnited States
            		15169GOOGLEUSfalse
            142.250.184.227
            		unknownUnited States
            		15169GOOGLEUSfalse
            216.58.212.163
            		unknownUnited States
            		15169GOOGLEUSfalse

            Private

            IP
            192.168.2.17

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1636623
            Start date and time:2025-03-13 00:54:14 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:defaultwindowsinteractivecookbook.jbs
            Sample URL:https://westmaidentrue.click/mirage/magestique
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:23
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • EGA enabled
            Analysis Mode:stream
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal60.troj.evad.win@32/14@4/102

            Warnings

            • Exclude process from analysis (whitelisted): svchost.exe
            • Excluded IPs from analysis (whitelisted): 142.250.184.227, 142.250.186.142, 142.250.185.206, 142.250.110.84
            • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, clientservices.googleapis.com, clients.l.google.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenFile calls found.
            • VT rate limit hit for: https://westmaidentrue.click/mirage/magestique

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\c149800b

            Download File
            Process:C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe
            File Type:data
            Category:dropped
            Size (bytes):1573670
            Entropy (8bit):7.7267050576046
            Encrypted:false
            SSDEEP:
            MD5:FE456788132917CE89DC14974A4EEBE1
            SHA1:8F73A042EC8F996273E1F351D219055FF161D397
            SHA-256:DF12CB39E129E6E4BC8711D1CF78CCE05B99D5A2137B3C9B24BAD0A53682754A
            SHA-512:2DD3313982317E0C008BBA0E121B55521ADED3B94A79B756780B1A5DF5724458642F5C327B6F3D526FC6CEB65B8D2C9C4E1201AB236E56A1B3CF342DD0740696
            Malicious:false
            Reputation:unknown
            Preview:.X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..............*...>...1.../...,...x...-...7...5...,...-..X..X..X..X..X..X..X..X..X..X..X...7...,...1... ..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X...7...9...6...6...X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..............7...,.......9...7...X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X...j..m..o..X..X..X..X..X..X..X..X..X..X..

            C:\Users\user\Downloads\Stars_pack_version_21.3.1.zip (copy)

            Download File
            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
            File Type:Zip archive data, at least v2.0 to extract, compression method=store
            Category:dropped
            Size (bytes):0
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:
            MD5:AA29FF8DCBFB8156EBA033E28F03A04F
            SHA1:1453014278C8891FCE9685C0A6BD4D079A763C24
            SHA-256:1A34C9B4500CF7859C36C102209902202FB7188ACA1BA759F2D5018BF2655CC1
            SHA-512:14A8EFC38A3DD0215B5B9587C80740681E0464F075EE777389E9458411590CF3CDD3EB0A7EF328EFFEA5AE0DDC6E6AF20266ED88717743CD46B364E0736C3EEF
            Malicious:false
            Reputation:unknown
            Preview:PK.........AlZ................version_21/PK........1AlZ...9....>Q......version_21/acajou.dmgT[...U.?...H.`..01.lX....{.w.T..H..."\.5D..(......QNL4)..>%%......]..{.7......c8..|.k....X.1{.5..g>.I....mg~.x#.....X.....R..P.[..X..{I.a,.......~..f.:.....g5..G+jM........eZc...X'.y....#e......(...1'..*.*I.^./.B.'..2. ..V. .........+3..Z...iMJ...t.K.z....a.B.+.:f.ZCY.c&...{B.#..!..X.me>.#.:....~..A!m2.<.p...%..>.....:.....Mc.. .x.....j...I.W.k..Y.....2.C.k..X~@(.!.7...i..... `bO...o.F'..F.9.GN...(A..)K.....I@.,|N..R.Gc@.....".C|...N.T6.J.a.X..S..b....6..c...!...7.%...Z..rvV.Rs%..=..'T=.%C..Ju4..X1.+.0....$l..&..Y.C.Za.n.9#..m...Y...."R?.$VZ.w.... ..rE..jK6.-....V..*1Q.....H..V...9b.J.f.h.........eE%..8.KUhGhJ...f......ki.U\..:.]f..}.. ..D..{......:..,...*....'.x..:~..Y!f....@..8<:..s8...n.........Z...gX8...8.A.....'.4=f6|....`I%S.R.:c.sB.#.....F).?.....6...H.........J.E....mVt..I.c1Z_.H..g!U....>8........a...."..5.\...~.../Y........'.q.X....}.Zbv..p..h.!?Yb..

            C:\Users\user\Downloads\Stars_pack_version_21.3.1.zip.crdownload

            Download File
            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
            File Type:Zip archive data, at least v2.0 to extract, compression method=store
            Category:dropped
            Size (bytes):7905506
            Entropy (8bit):7.9967988625890225
            Encrypted:true
            SSDEEP:
            MD5:AA29FF8DCBFB8156EBA033E28F03A04F
            SHA1:1453014278C8891FCE9685C0A6BD4D079A763C24
            SHA-256:1A34C9B4500CF7859C36C102209902202FB7188ACA1BA759F2D5018BF2655CC1
            SHA-512:14A8EFC38A3DD0215B5B9587C80740681E0464F075EE777389E9458411590CF3CDD3EB0A7EF328EFFEA5AE0DDC6E6AF20266ED88717743CD46B364E0736C3EEF
            Malicious:false
            Reputation:unknown
            Preview:PK.........AlZ................version_21/PK........1AlZ...9....>Q......version_21/acajou.dmgT[...U.?...H.`..01.lX....{.w.T..H..."\.5D..(......QNL4)..>%%......]..{.7......c8..|.k....X.1{.5..g>.I....mg~.x#.....X.....R..P.[..X..{I.a,.......~..f.:.....g5..G+jM........eZc...X'.y....#e......(...1'..*.*I.^./.B.'..2. ..V. .........+3..Z...iMJ...t.K.z....a.B.+.:f.ZCY.c&...{B.#..!..X.me>.#.:....~..A!m2.<.p...%..>.....:.....Mc.. .x.....j...I.W.k..Y.....2.C.k..X~@(.!.7...i..... `bO...o.F'..F.9.GN...(A..)K.....I@.,|N..R.Gc@.....".C|...N.T6.J.a.X..S..b....6..c...!...7.%...Z..rvV.Rs%..=..'T=.%C..Ju4..X1.+.0....$l..&..Y.C.Za.n.9#..m...Y...."R?.$VZ.w.... ..rE..jK6.-....V..*1Q.....H..V...9b.J.f.h.........eE%..8.KUhGhJ...f......ki.U\..:.]f..}.. ..D..{......:..,...*....'.x..:~..Y!f....@..8<:..s8...n.........Z...gX8...8.A.....'.4=f6|....`I%S.R.:c.sB.#.....F).?.....6...H.........J.E....mVt..I.c1Z_.H..g!U....>8........a...."..5.\...~.../Y........'.q.X....}.Zbv..p..h.!?Yb..

            C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\Comn.dll

            Download File
            Process:C:\Program Files\7-Zip\7zG.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):357824
            Entropy (8bit):6.480962458661732
            Encrypted:false
            SSDEEP:
            MD5:F76F5A566CBB5F561D26E7ACA841C723
            SHA1:4838FD2DD9DBFCDAF2B1F11091F15A17F93C29BE
            SHA-256:0576FC3B0C9381C47A8A9443ABDD195EEBB34ECE0ADC5C6D17624CA0E914E8E3
            SHA-512:9F574F09A4C54B8E786846297FCFAD7AF647EB134D8E960B078A83E982CCAE2956AA6C4C1014C01C7774461E31314904CB6DFC325C7A90C3E31130838BEB24C0
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#..B...B...B..$..B.....B.......B.......B.....B...B...C...a...B.....B.....B.....B..Rich.B..................PE..L.....Rc...........!.....p..........,........................................0..........................................[...d...,.................... ...U......t1...................................W..@............................................text...ae.......p.................. ..`.rdata...=.......@..................@..@.data...............................@....rsrc...............................@..@.reloc...6.......@..................@..B................................................................................................................................................................................................................................................................................................................

            C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtCore4.dll

            Download File
            Process:C:\Program Files\7-Zip\7zG.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):2417832
            Entropy (8bit):6.575514790038478
            Encrypted:false
            SSDEEP:
            MD5:03985B7B207E63B6BB894EA6EA78D92B
            SHA1:0E6FC44B1F3C724E6050152D9E240A548314A6FF
            SHA-256:793153A9262E4C280A71EA595FE49208A89766D6D344766AF0ABF8C32648F3E0
            SHA-512:A2E9749C7D7C9745EB16B6976C6C208B3CE2EE524E958CF7C41D0D31A7FB761C4F66AD8320301C652EF4EA8128111AD9687E64F3944D40B933153D99AB8C272B
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........AP...P...P....L..R...wN..Z...wN..T.......R.......[...P...B...wN..q...wN.....wN..Q...wN..Q...wN..Q...RichP...........................PE..L...'W.P...........!.....@...P.......H.......P.....g..............F...........$.......%.............................p$..N(............#...............$..D....#.<...................................x...@............P..P............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data...D+...P#..0...P#.............@....rsrc.........#.......#.............@..@.reloc..p.....#.......#.............@..B................................................................................................................................................................................................................................................................................................

            C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtGui4.dll

            Download File
            Process:C:\Program Files\7-Zip\7zG.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):8602792
            Entropy (8bit):6.7150598637405245
            Encrypted:false
            SSDEEP:
            MD5:4346A780699F377A189A38247A0D513A
            SHA1:5D5AA81A6CA07862A8A7E48D592CDA6377C1AA60
            SHA-256:DBDF5E11EC81ED1D941EC16FC7B94AB65F814CEB1E7FB524F2C64CBB422F7382
            SHA-512:C8A7B3DDFC856510334B7BA382B5DBAAC08E9E7EF4A1209ABFB2AA21F5C5A54DF5390F2145FA1D3C1E4E5A2983A692A133D9D219D0AE9FD0870C52AC414F317C
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 11%
            Reputation:unknown
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......TEg..$...$...$...w..$..7.t..$...+V..$..7.r..$...+T..$...$..d#..7.d..$..7.g..%..7.s..$..7.u..$..7.q..$..Rich.$..........PE..L....Y.P...........!.....@Y...)......RQ......PY....e..............F..........@......................................`.n.....`.m.,....@|..................D...P|..k..................................htd.@............PY..............................text....=Y......@Y................. ..`.rdata...."..PY.. "..PY.............@..@.data........p{......p{.............@....rsrc........@|.......|.............@..@.reloc..8....P|.......|.............@..B................................................................................................................................................................................................................................................................................................................

            C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtNetwork4.dll

            Download File
            Process:C:\Program Files\7-Zip\7zG.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):844968
            Entropy (8bit):6.4745607519760995
            Encrypted:false
            SSDEEP:
            MD5:A3C0C0B1442CDC0A2F49C2B2AE39D245
            SHA1:6AFF3D64E06955FB9AD4B19C394DCFDC212B423A
            SHA-256:901FC44992636086F2BC958AA3BDBE2D9AC3E169FC11E0F9D92D235CC906A35A
            SHA-512:B4BB0196AB8A960206B7F1D082EB7D94A408345A2887694D17186F3A2581E9263DDD43D099F2493EE8789AB5EBABAC911BA54C069E517CFC479461B1A7BB4F20
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.t.............$d.....%&w.....%&g.....%&a...............G.....%&t.R...%&`.....%&f.....%&b.....Rich....................PE..L...4L.X...........!......................... .....d..............F.................i&..............................@.......$9..d........................D......D.......................................@............ ...............................text............................... ..`.rdata..:a... ...p... ..............@..@.data....7....... ..................@....rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................................................

            C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\acajou.dmg

            Download File
            Process:C:\Program Files\7-Zip\7zG.exe
            File Type:Matlab v4 mat-file (little endian) l, numeric, rows 20557, columns 7301632
            Category:dropped
            Size (bytes):1331518
            Entropy (8bit):7.955151872319542
            Encrypted:false
            SSDEEP:
            MD5:FFE5B815B53AEFA2A3F9841B769E81CF
            SHA1:7CA12C0A136835C659F3DAFF0E6ECEAB396F45E2
            SHA-256:881E7EF68C2A1BCFBDC5ED6F487964B5DE35D0D089EFC070392695012E9D25D0
            SHA-512:DCB9AC756428D05B06B589158FAE4A7C5396ACB54F739FC21866E77DCB475E35F4650954F29A8792BC957FC6DD0D5100852C85C791860637ECDBF3A3452CF2B8
            Malicious:false
            Reputation:unknown
            Preview:....MP...jo......CcGl..a..OZ.r.a....OV.\b.m...v.SO.W...U\.....S.....b.qI.M..lQfZ.....Als.w..Y.Wwa.u..g.K.o.C.U.XW....S.mC.op.Yi`.kW.oR.h]mCDX.I..[w.BTU.EI]NTFB.u^.vh.w\lU.Tfe..dI.T..]......U..Q.y.n.T..kfmwbxfgZ..b^Av.OyYZem.y\.q.o.ob..gwq.l.UT.T...oE.EJA.c.....u....fEbw.t.x.qL..v..MPip.U.vMZe.^.JRN..dTZ.U.......X...M.s.XSM.VDPZ.ucnB..[X..i..yicJJ.h.h....t...Ok..PV...........X...[bCdh..[E.K..h....^P.`..Y.._tS.Qy...v.n_..lFf.....ivMnI.tI.qm.sM....M.db..mU...W..d....b.......Sk..]X.....j..............aE....X...K.T^..g....d.nNg...Y^d..ZQ..c...otqTA.XWvJe...j.c.f....r..Y.iL..W..H.....BG..o_..Q^.J..Zl.S.GZ.t...q.ScZBN.Q.Gu.a^q..g.C.g.R..wR...R..r.x..........JH\.S..h.I..SfPo....ox.wgO.nY..R.A.G.vOh.s.`Bw.....dc....^.po..iw.j^.....Y._.....K...`NY...kfLl.\u.M..m.av[.Q\.xerb.X..e.R...y.B..._..Gf.f....j[v.Rl...k..V.gjMUMNar.Nb\...BG..CBl...n.u..Zq.yX.wLf...BoiL...[...d.w...o..ILEl.Vtl...S`..b.N].jA.Ny.Y.._.RBit\...jgO.sC.y.y....\.T..Soc.i._A\..FVO]......L....Vv..XI.H.n.....n\....S.gDt.J.ZW.[.k.hBW

            C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libcrypto-1_1.dll

            Download File
            Process:C:\Program Files\7-Zip\7zG.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):2344104
            Entropy (8bit):6.164986869226677
            Encrypted:false
            SSDEEP:
            MD5:832205883448AB8C689D8A434D92F80B
            SHA1:890C403A288C65683EDBE9917B972CEB6EB7EBA7
            SHA-256:558ADDAE67D50612ACD60A02FB29D41BE61999D299348DF9A225E419CC9395ED
            SHA-512:0C1B8B3776C14B78F9B7AC09627CA7762F62C63DA489204F376519752B029951798C1ED24AED07CC660C5E54936C06560FDA921E33A76E80EBAB10EF97177973
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L....k...k...k../...$k../....k...k...k...d...k../....h../....k../....k../....k..Rich.k..................PE..L.....+_...........!................aC........................................#.......#.............................`....f....".d.....".|.............#..D....".h...@............................... ...@............".t............................text...P........................... ..`.rdata..fK.......P..................@..@.data....y... "..0... ".............@....idata........".. ...P".............@....rsrc...|....."......p".............@..@.reloc........".......".............@..B........................................................................................................................................................................................................................................................................................

            C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libssl-1_1.dll

            Download File
            Process:C:\Program Files\7-Zip\7zG.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):656552
            Entropy (8bit):5.884693907932688
            Encrypted:false
            SSDEEP:
            MD5:CDBF8CD36924FFB81B19487746F7F18E
            SHA1:781190C5A979359054CE56CEEF714A8F5384CFBB
            SHA-256:0813C77DF688B39F26BAD0BE2B3E4AFDE13E97D9A1EBCBDB3B1F4184218D1A57
            SHA-512:CA43450E853B3C74808AD199ABE329AC2A2D7AE2E84C17FB467374C22EC9620FB102C75889E279E2D28F0EBD14D8BAFAFE700241BA4141FD64B4801802A3D474
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........p...#...#...#..#...#...#...#...#...#...#...#...#...#...#Q..#...#...#...#...#...#...#Rich...#................PE..L.....+_...........!..... ...................0.......................................1...............................p...N...0..<.......s................D......,@..@;.............................. W..@...........T:...............................text............ .................. ..`.rdata.......0.......0..............@..@.data...Xi.......P..................@....idata...A...0...P..................@....rsrc...s............`..............@..@.reloc...H.......P...p..............@..B................................................................................................................................................................................................................................................................................

            C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\mickey.db

            Download File
            Process:C:\Program Files\7-Zip\7zG.exe
            File Type:data
            Category:dropped
            Size (bytes):44051
            Entropy (8bit):4.766333590198286
            Encrypted:false
            SSDEEP:
            MD5:09EC1026D8E37966569B4E0E342085FD
            SHA1:A5478A19E3C258CA1FC58E5C9E8CCA8181FE103E
            SHA-256:DD024320B537CDD9D2604BA6FE6B1D1B25856B03F65F791B646BA0DC5A8DCD78
            SHA-512:A71756B2FDBF1D588932484D442B8D0E1A0A6D979163058BCDB7F31837E9816C3C2C79FBF8A6C54446ACB00350A69F7064AFAFA7C44169A98C6A564E036147F2
            Malicious:false
            Reputation:unknown
            Preview:J..A.i......O...L]..o..O.^RyvZlnp.lsi.Dd...x[P.....w...EQ.o...^.y...B.V.L.KJ.h..c..r..x...q..[a^..K..Nc.C.e.s.qL......M.q.bB....CMYnbZ..Y.q.p...I.M...Yjg.A.Hge.E....\o..t....cw.^J\....ia.._x.FSk..i.._b.Mg..Y....KP.u..F.J.W.tYl..k...R.Q.On.k....m.N.M.Dx.wt.qY..M..eV.....eS...IQ..JO.MYu..[..[...VmAb....MF..FT...Y.mXY.RJ.rt.y.u....mTf...r...m..Jg...J\ne.G...TOE.p.y..r......]y...wJK.g.[..a..v_..e..CodWB..K..Vvi.t...HS.I...F.^.Nh.TZ[dS........jcf..b........^IF.....^tOv......\.d.m.\.JwL.wO...Fg.H......v...xXH.Xy....ukn....L.P..X]j.l..i..q.SJ..y.sk.jL.^..ARj.j.vSDky.q..D..vV.hk.HC..uu..q...`S.W...C..F.H.\sZ.t.TS...Q.ifM...lMLb..ju...sl..AmsM.RV..P.a..xr.dw\N.H.._p...Ex..auXb.^....mvC..T..NY..s...G..SMmo...TO.ey........X\...J....b.\.o..]aR_..qYn...E..w..\.h...UBHDN.eWgI.IQ....BJPf..RpDj^ee^.Fa.[....RK.P..P.DW.mP.M..^iSd...e...D.nO..L.C..p..n......TW..qrOp.Q...L.Mw..Ky..y.......f..^V].au....Gry.....c..._..fiG\.....F..p.OaZebZH.L..Pl...fg.jtsU[.j....Hh\._sF...G...X...lu.c....\WW.]VLh.uHw..Oh....

            C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcp80.dll

            Download File
            Process:C:\Program Files\7-Zip\7zG.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):548864
            Entropy (8bit):6.404927820299697
            Encrypted:false
            SSDEEP:
            MD5:272A9E637ADCAF30B34EA184F4852836
            SHA1:6DE8A52A565F813F8AC7362E0C8BA334B680F8F8
            SHA-256:35B15B78C31111DB4FA11D9C9CAD3A6F22C92DAA5E6F069DC455E72073266CC4
            SHA-512:F1F04A84D25A74BB1CF6285EF705F092A08E93D39DF569F6BADC45B8722D496BBBEF02B4E19F76A0332E3842945506C2C12AD61FE34F339BB91F49B8D112CD52
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y..fv..y..y..#y.....y..2...y.....y.....y......y.....y.....y.....y..Rich.y..........PE..L....^j[...........!.....@... ...............P....B|.........................p............@.............................L...T...<............................ ..H2...S..............................Pe..@............P.. ............................text...V>.......@.................. ..`.rdata......P.......P..............@..@.data...l&....... ..................@....rsrc...............................@..@.reloc..NA... ...P..................@..B........................................................................................................................................................................................................................................................................................................................

            C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcr80.dll

            Download File
            Process:C:\Program Files\7-Zip\7zG.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):626688
            Entropy (8bit):6.840096566307411
            Encrypted:false
            SSDEEP:
            MD5:43143ABB001D4211FAB627C136124A44
            SHA1:EDB99760AE04BFE68AAACF34EB0287A3C10EC885
            SHA-256:CB8928FF2FAF2921B1EDDC267DCE1BB64E6FEE4D15B68CD32588E0F3BE116B03
            SHA-512:CED96CA5D1E2573DBF21875CF98A8FCB86B5BCDCA4C041680A9CB87374378E04835F02AB569D5243608C68FEB2E9B30FFE39FEB598F5081261A57D1CE97556A6
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.........@................!......;.............d.......................Rich...................PE..L...I^j[...........!.....0...p......+#.......@.....x......................................@..........................q...~..Pc..<....`.......................p..P3...B...............................F..@............@...............................text....'.......0.................. ..`.rdata......@.......@..............@..@.data...Li.......P..................@....rsrc........`.......@..............@..@.reloc...7...p...@...P..............@..B........................................................................................................................................................................................................................................................................................................................

            C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe

            Download File
            Process:C:\Program Files\7-Zip\7zG.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):349640
            Entropy (8bit):4.941036201296748
            Encrypted:false
            SSDEEP:
            MD5:7700F61BECA60DB53658C52A05B01941
            SHA1:983F920FFEC60B308C02CC07E0ABF465C8BA965A
            SHA-256:7E6B2664F4417F5A8F981CED5F2EEF867CB72BCA990FE3864D76D878FF62CF52
            SHA-512:33E68F2B2440079A75523F69D55EBEB175F1448731D28BA1A120729DF3E1612231903C5A9872AB673D629E865F60550BEC52D7004417F0305E412724DC8011D4
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p....k...k...k.%.....k.......k.......k.......k...j...k.......k.......k.Rich..k.................PE..L......c................. ..........s .......0....@.................................<g...................................................................U..............................................@............0...............................text...k........ .................. ..`.rdata.......0.......0..............@..@.data...8...........................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\Downloads\d5d6b308-bfbb-4dd4-bf8b-ff8f825d0b61.tmp

            Download File
            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
            File Type:Zip archive data, at least v2.0 to extract, compression method=store
            Category:dropped
            Size (bytes):5467
            Entropy (8bit):7.931692789289847
            Encrypted:false
            SSDEEP:
            MD5:20DBDA147132B510BC9F05980E014135
            SHA1:76645CD414FD5537FA7B99F1ADF932C931E02C35
            SHA-256:815359E2A1F07CAFDE6F5B986320EF87CC84627499817C5FBF210A74727751B0
            SHA-512:D7F321572AFF27A2BD1555698F09A591A073E37BA19181A4B7B181468519E41E9EE57789FECFA18466CD3E0361DA1288B97D22BC6F3B1395FCB9232B1D4F26B3
            Malicious:false
            Reputation:unknown
            Preview:PK.........AlZ................version_21/PK........1AlZ...9....>Q......version_21/acajou.dmgT[...U.?...H.`..01.lX....{.w.T..H..."\.5D..(......QNL4)..>%%......]..{.7......c8..|.k....X.1{.5..g>.I....mg~.x#.....X.....R..P.[..X..{I.a,.......~..f.:.....g5..G+jM........eZc...X'.y....#e......(...1'..*.*I.^./.B.'..2. ..V. .........+3..Z...iMJ...t.K.z....a.B.+.:f.ZCY.c&...{B.#..!..X.me>.#.:....~..A!m2.<.p...%..>.....:.....Mc.. .x.....j...I.W.k..Y.....2.C.k..X~@(.!.7...i..... `bO...o.F'..F.9.GN...(A..)K.....I@.,|N..R.Gc@.....".C|...N.T6.J.a.X..S..b....6..c...!...7.%...Z..rvV.Rs%..=..'T=.%C..Ju4..X1.+.0....$l..&..Y.C.Za.n.9#..m...Y...."R?.$VZ.w.... ..rE..jK6.-....V..*1Q.....H..V...9b.J.f.h.........eE%..8.KUhGhJ...f......ki.U\..:.]f..}.. ..D..{......:..,...*....'.x..:~..Y!f....@..8<:..s8...n.........Z...gX8...8.A.....'.4=f6|....`I%S.R.:c.sB.#.....F).?.....6...H.........J.E....mVt..I.c1Z_.H..g!U....>8........a...."..5.\...~.../Y........'.q.X....}.Zbv..p..h.!?Yb..

            Static File Info

            No static file info