Loading ...

Play interactive tourEdit tour

Analysis Report hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:188696
Start date:08.11.2019
Start time:23:26:25
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 9m 49s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:23
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean16.winEXE@28/3@8/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 96%)
  • Quality average: 82.3%
  • Quality standard deviation: 25.3%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 93.184.221.240, 205.185.216.42, 205.185.216.10, 67.27.233.126, 8.248.127.254, 8.248.113.254, 67.26.139.254, 67.27.233.254
  • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, wu.azureedge.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold160 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold20 - 5true
ConfidenceConfidence


Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsGraphical User Interface1Winlogon Helper DLLExploitation for Privilege Escalation1Software Packing3Input Capture21System Time Discovery2Application Deployment SoftwareInput Capture21Data Encrypted12Standard Cryptographic Protocol22
Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection1Process Injection1Network SniffingQuery Registry1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol2
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureProcess Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information3Credentials in FilesAccount Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDLL Side-Loading1Account ManipulationSystem Owner/User Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSecurity Software Discovery11Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryFile and Directory Discovery2Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol
Trusted RelationshipRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Information Discovery33Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer Encryption

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.2.hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe.1030000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 0.0.hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe.1030000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_010352C2 wcslen,wcslen,wcslen,malloc,CryptAcquireContextW,memcpy,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,??3@YAXPAX@Z,0_2_010352C2
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_010355E8 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,malloc,CryptDestroyKey,??3@YAXPAX@Z,??3@YAXPAX@Z,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,CryptDestroyKey,CryptReleaseContext,??3@YAXPAX@Z,0_2_010355E8
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0103542C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,0_2_0103542C
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_01035498 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptEncrypt,CryptDestroyKey,malloc,CryptDestroyKey,memcpy,??3@YAXPAX@Z,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,CryptDestroyKey,CryptReleaseContext,??3@YAXPAX@Z,0_2_01035498
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_01040784 CryptAcquireContextW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,sprintf,0_2_01040784
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_010356F9 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,malloc,malloc,CryptDestroyKey,??3@YAXPAX@Z,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,CryptDestroyKey,CryptReleaseContext,malloc,toupper,??3@YAXPAX@Z,0_2_010356F9
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_01040835 CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptCreateHash,strlen,CryptHashData,CryptDeriveKey,CryptDestroyHash,CryptDecrypt,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,0_2_01040835
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_01035074 CryptBinaryToStringW,CryptBinaryToStringW,malloc,CryptBinaryToStringW,??3@YAXPAX@Z,0_2_01035074
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_010350F2 wcslen,wcslen,CryptStringToBinaryW,CryptStringToBinaryW,malloc,wcslen,CryptStringToBinaryW,0_2_010350F2
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_01041CC8 malloc,CryptAcquireContextW,CryptCreateHash,strlen,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,??3@YAXPAX@Z,0_2_01041CC8
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_01034FE5 CryptBinaryToStringW,malloc,CryptBinaryToStringW,??3@YAXPAX@Z,0_2_01034FE5

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0104347F _wcsicmp,wcslen,wcslen,wcslen,wcscpy,wcslen,wcslen,GetTempPathW,wcscpy,wcscat,memset,FindFirstFileW,CloseHandle,CreateFileW,CreateFileW,wcscpy,wcscat,GetFileSize,malloc,ReadFile,CloseHandle,memcmp,wcscpy,wcscat,CopyFileW,CreateFileW,memset,strstr,strchr,memset,MultiByteToWideChar,wcsncpy,_swprintf,wcsstr,wcsncat,wcscat,wcscat,wcscat,Sleep,MessageBoxW,RegQueryValueExW,RegDeleteValueW,RegOpenKeyExW,RegQueryValueExW,RegDeleteValueW,RegQueryValueExW,RegDeleteValueW,RegQueryValueExW,RegDeleteValueW,RegCloseKey,RegDeleteKeyW,GetForegroundWindow,keybd_event,keybd_event,keybd_event,_strncoll,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strchr,memset,memset,MultiByteToWideChar,wcsncpy,??3@YAXPAX@Z,wcscpy,wcscat,_swprintf,_swprintf,_swprintf,_swprintf,WideCharToMultiByte,strlen,CreateFileW,WriteFile,Clo0_2_0104347F
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0104293D _wcsicmp,wcscat,memset,FindFirstFileW,FindClose,GetTempPathW,wcslen,wcslen,wcslen,GetModuleFileNameW,CreateFileW,CreateFileW,GetFileSize,malloc,ReadFile,CloseHandle,CloseHandle,_swprintf,CreateFileW,GetLastError,??3@YAXPAX@Z,WriteFile,??3@YAXPAX@Z,CloseHandle,??3@YAXPAX@Z,CloseHandle,_swprintf,memset,ShellExecuteExW,memset,FindFirstFileW,FindFirstFileW,Sleep,FindFirstFileW,FindClose,0_2_0104293D
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0103BB31 __EH_prolog3,memset,memset,wcslen,wcslen,wcslen,iswalpha,wcscpy,wcslen,wcslen,wcslen,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_swprintf,FindFirstFileW,SetFileAttributesW,_swprintf,wcscmp,wcscmp,SetFileAttributesW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,0_2_0103BB31
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_01083D00 FindFirstFileW,FindClose,0_2_01083D00

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Found strings which match to known social media urlsShow sources
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887104677.0000000000270000.00000004.00000001.sdmpString found in binary or memory: .hotmail.com1&0 equals www.hotmail.com (Hotmail)
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887104677.0000000000270000.00000004.00000001.sdmpString found in binary or memory: hotmail.co.uk1 equals www.hotmail.com (Hotmail)
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887104677.0000000000270000.00000004.00000001.sdmpString found in binary or memory: hotmail.com1 equals www.hotmail.com (Hotmail)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.nosltd.com
Urls found in memory or binary dataShow sources
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887104677.0000000000270000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4485056563.00000000002AA000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887104677.0000000000270000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887104677.0000000000270000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887104677.0000000000270000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887104677.0000000000270000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrus
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887104677.0000000000270000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4485056563.00000000002AA000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicerai-dm7
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4485056563.00000000002AA000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4485056563.00000000002AA000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4485056563.00000000002AA000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digi
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4485056563.00000000002AA000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4485056563.00000000002AA000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887104677.0000000000270000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4485056563.00000000002AA000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4485056563.00000000002AA000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0F
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887104677.0000000000270000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: explorer.exe, 0000000E.00000002.4993634861.0000000004BE9000.00000004.00000001.sdmpString found in binary or memory: http://schemas.m
Source: explorer.exe, 0000000C.00000002.4972878491.0000000005AAA000.00000004.00000001.sdmpString found in binary or memory: http://schemas.m##
Source: explorer.exe, 0000000A.00000002.4951563663.0000000004ACD000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mDD)
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4889354301.00000000014EC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4888121070.0000000001031000.00000040.00020000.sdmp, hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4480166641.00000000002A5000.00000004.00000001.sdmp, hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4475269691.00000000002AE000.00000004.00000001.sdmp, hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4889280683.00000000014A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: explorer.exe, 00000003.00000002.4900126565.0000000002700000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.4922316533.00000000029E0000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000002.4961699502.0000000003350000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000002.4983016381.0000000002D60000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeString found in binary or memory: http://www.nosltd.com/index.php/products/transfer-manager/get-plus-plus
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4888121070.0000000001031000.00000040.00020000.sdmpString found in binary or memory: http://www.nosltd.com/index.php/products/transfer-manager/get-plus-plus%ld%s
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4889280683.00000000014A0000.00000004.00000001.sdmpString found in binary or memory: https://dmws.rockwellautomation.com
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4485056563.00000000002AA000.00000004.00000001.sdmp, hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887104677.0000000000270000.00000004.00000001.sdmp, hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4475269691.00000000002AE000.00000004.00000001.sdmpString found in binary or memory: https://dmws.rockwellautomation.com/
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4475334629.00000000002A5000.00000004.00000001.sdmpString found in binary or memory: https://dmws.rockwellautomation.com/Challenge
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4485056563.00000000002AA000.00000004.00000001.sdmp, hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887104677.0000000000270000.00000004.00000001.sdmpString found in binary or memory: https://dmws.rockwellautomation.com/ReportErrorMessage
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4480136028.00000000002B7000.00000004.00000001.sdmp, hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4480179422.00000000002AE000.00000004.00000001.sdmp, hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4485047614.00000000002B7000.00000004.00000001.sdmpString found in binary or memory: https://dmws.rockwellautomation.com/RequestDownloadDdf
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeString found in binary or memory: https://dmws.rockwellautomation.com/dmws.asmx
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887104677.0000000000270000.00000004.00000001.sdmp, hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4886853931.00000000001D0000.00000004.00000020.sdmp, hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4889354301.00000000014EC000.00000004.00000001.sdmpString found in binary or memory: https://dmws.rockwellautomation.com/dmws.asmx?sessionid=hvfpxokhvg5t3d54pzkcryxn637088397994912087
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4889280683.00000000014A0000.00000004.00000001.sdmpString found in binary or memory: https://dmws.rockwellautomation.com/dmws.asmx?sessionid=hvfpxokhvg5t3d54pzkcryxn637088397994912087t3
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4888121070.0000000001031000.00000040.00020000.sdmpString found in binary or memory: https://dmws.rockwellautomation.com/dmws.asmxURL
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4480146026.00000000002AA000.00000004.00000001.sdmpString found in binary or memory: https://dmws.rockwellautomation.com/nR
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4485056563.00000000002AA000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887041216.0000000000254000.00000004.00000020.sdmpString found in binary or memory: https://www.nosltd.com/
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeString found in binary or memory: https://www.nosltd.com/239048.php
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4889280683.00000000014A0000.00000004.00000001.sdmp, hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000003.4697105409.000000000024B000.00000004.00000001.sdmpString found in binary or memory: https://www.nosltd.com/239048.php?status=1&sessionid=hvfpxokhvg5t3d54pzkcryxn637088397994912087&vers
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4888121070.0000000001031000.00000040.00020000.sdmpString found in binary or memory: https://www.nosltd.com/239048.phpOut
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeString found in binary or memory: https://www.nosltd.com/rockwell_logfiles/receive_logfiles.php
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4888121070.0000000001031000.00000040.00020000.sdmpString found in binary or memory: https://www.nosltd.com/rockwell_logfiles/receive_logfiles.phpidempty_%s:
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_01092428 GetSystemMetrics,GetSystemMetrics,GetAsyncKeyState,GetKeyState,0_2_01092428
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4886853931.00000000001D0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_010352C2 wcslen,wcslen,wcslen,malloc,CryptAcquireContextW,memcpy,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,??3@YAXPAX@Z,0_2_010352C2
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_010355E8 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,malloc,CryptDestroyKey,??3@YAXPAX@Z,??3@YAXPAX@Z,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,CryptDestroyKey,CryptReleaseContext,??3@YAXPAX@Z,0_2_010355E8
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_01035498 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptEncrypt,CryptDestroyKey,malloc,CryptDestroyKey,memcpy,??3@YAXPAX@Z,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,CryptDestroyKey,CryptReleaseContext,??3@YAXPAX@Z,0_2_01035498
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_010356F9 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,malloc,malloc,CryptDestroyKey,??3@YAXPAX@Z,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,CryptDestroyKey,CryptReleaseContext,malloc,toupper,??3@YAXPAX@Z,0_2_010356F9

System Summary:

barindex
PE file has a writeable .text sectionShow sources
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0103F9E4: DeviceIoControl,GetAdaptersAddresses,0_2_0103F9E4
Creates mutexesShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeMutant created: \Sessions\1\BaseNamedObjects\Global\FFAD8DA9-ED41-494d-AC8E-63D861D0A733gpe
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_010965880_2_01096588
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0104347F0_2_0104347F
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_010B281C0_2_010B281C
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0103FF4C0_2_0103FF4C
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: String function: 0103177D appears 89 times
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: String function: 01031812 appears 46 times
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: String function: 0106ABE2 appears 322 times
PE file contains executable resources (Code or Archives)Show sources
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file contains strange resourcesShow sources
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4888050599.0000000001010000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887942882.0000000000FA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4888066728.0000000001020000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887961195.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64log.dll
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: clean16.winEXE@28/3@8/3
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0103EDC0 LoadResource,LockResource,SizeofResource,0_2_0103EDC0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeFile created: C:\Users\user\AppData\Local\RockwellAutomation\Jump to behavior
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe 'C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\Jump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\Jump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\Jump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\Jump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\Jump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\Jump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\Jump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\Jump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe /e,C:\RA\Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Uses Rich Edit ControlsShow sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\SYSTEM32\MsftEdit.dllJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Found window with many clickable UI elements (buttons, textforms, scrollbars etc)Show sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeWindow detected: Number of UI elements: 24
PE file has a valid certificateShow sources
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeStatic PE information: certificate valid
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
PE file contains sections with non-standard namesShow sources
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeStatic PE information: section name: .nos
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0106B411 push ecx; ret 0_2_0106B424
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0106AC81 push ecx; ret 0_2_0106AC94
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.99865300262

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-28902
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe TID: 3296Thread sleep time: -30000s >= -30000sJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0104347F _wcsicmp,wcslen,wcslen,wcslen,wcscpy,wcslen,wcslen,GetTempPathW,wcscpy,wcscat,memset,FindFirstFileW,CloseHandle,CreateFileW,CreateFileW,wcscpy,wcscat,GetFileSize,malloc,ReadFile,CloseHandle,memcmp,wcscpy,wcscat,CopyFileW,CreateFileW,memset,strstr,strchr,memset,MultiByteToWideChar,wcsncpy,_swprintf,wcsstr,wcsncat,wcscat,wcscat,wcscat,Sleep,MessageBoxW,RegQueryValueExW,RegDeleteValueW,RegOpenKeyExW,RegQueryValueExW,RegDeleteValueW,RegQueryValueExW,RegDeleteValueW,RegQueryValueExW,RegDeleteValueW,RegCloseKey,RegDeleteKeyW,GetForegroundWindow,keybd_event,keybd_event,keybd_event,_strncoll,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strchr,memset,memset,MultiByteToWideChar,wcsncpy,??3@YAXPAX@Z,wcscpy,wcscat,_swprintf,_swprintf,_swprintf,_swprintf,WideCharToMultiByte,strlen,CreateFileW,WriteFile,Clo0_2_0104347F
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0104293D _wcsicmp,wcscat,memset,FindFirstFileW,FindClose,GetTempPathW,wcslen,wcslen,wcslen,GetModuleFileNameW,CreateFileW,CreateFileW,GetFileSize,malloc,ReadFile,CloseHandle,CloseHandle,_swprintf,CreateFileW,GetLastError,??3@YAXPAX@Z,WriteFile,??3@YAXPAX@Z,CloseHandle,??3@YAXPAX@Z,CloseHandle,_swprintf,memset,ShellExecuteExW,memset,FindFirstFileW,FindFirstFileW,Sleep,FindFirstFileW,FindClose,0_2_0104293D
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0103BB31 __EH_prolog3,memset,memset,wcslen,wcslen,wcslen,iswalpha,wcscpy,wcslen,wcslen,wcslen,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_swprintf,FindFirstFileW,SetFileAttributesW,_swprintf,wcscmp,wcscmp,SetFileAttributesW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,0_2_0103BB31
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_01083D00 FindFirstFileW,FindClose,0_2_01083D00
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0103F5F1 __EH_prolog3,memset,GetSystemInfo,0_2_0103F5F1
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4886853931.00000000001D0000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWx
Source: explorer.exe, 00000003.00000002.4912199881.0000000005E20000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.4926688655.00000000038F0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.4952583714.00000000056A0000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000002.4973623624.0000000005E20000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887104677.0000000000270000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWT
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4887104677.0000000000270000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000002.4912199881.0000000005E20000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.4926688655.00000000038F0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.4952583714.00000000056A0000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000002.4973623624.0000000005E20000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000002.4912199881.0000000005E20000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.4926688655.00000000038F0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.4952583714.00000000056A0000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000002.4973623624.0000000005E20000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000002.4912199881.0000000005E20000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.4926688655.00000000038F0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.4952583714.00000000056A0000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000002.4973623624.0000000005E20000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_01031165 strchr,GetProcessHeap,HeapFree,RtlAllocateHeap,_vsnprintf,HeapFree,RtlAllocateHeap,HeapFree,0_2_01031165
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0106A410 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0106A410

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0104293D _wcsicmp,wcscat,memset,FindFirstFileW,FindClose,GetTempPathW,wcslen,wcslen,wcslen,GetModuleFileNameW,CreateFileW,CreateFileW,GetFileSize,malloc,ReadFile,CloseHandle,CloseHandle,_swprintf,CreateFileW,GetLastError,??3@YAXPAX@Z,WriteFile,??3@YAXPAX@Z,CloseHandle,??3@YAXPAX@Z,CloseHandle,_swprintf,memset,ShellExecuteExW,memset,FindFirstFileW,FindFirstFileW,Sleep,FindFirstFileW,FindClose,0_2_0104293D
Contains functionality to simulate keystroke pressesShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0104347F _wcsicmp,wcslen,wcslen,wcslen,wcscpy,wcslen,wcslen,GetTempPathW,wcscpy,wcscat,memset,FindFirstFileW,CloseHandle,CreateFileW,CreateFileW,wcscpy,wcscat,GetFileSize,malloc,ReadFile,CloseHandle,memcmp,wcscpy,wcscat,CopyFileW,CreateFileW,memset,strstr,strchr,memset,MultiByteToWideChar,wcsncpy,_swprintf,wcsstr,wcsncat,wcscat,wcscat,wcscat,Sleep,MessageBoxW,RegQueryValueExW,RegDeleteValueW,RegOpenKeyExW,RegQueryValueExW,RegDeleteValueW,RegQueryValueExW,RegDeleteValueW,RegQueryValueExW,RegDeleteValueW,RegCloseKey,RegDeleteKeyW,GetForegroundWindow,keybd_event,keybd_event,keybd_event,_strncoll,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strstr,_strncoll,strchr,memset,memset,MultiByteToWideChar,wcsncpy,??3@YAXPAX@Z,wcscpy,wcscat,_swprintf,_swprintf,_swprintf,_swprintf,WideCharToMultiByte,strlen,CreateFileW,WriteFile,Clo0_2_0104347F
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0103A8F5 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateFileMappingW,MapViewOfFile,memset,0_2_0103A8F5
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0103E784 memset,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,malloc,LocalFree,0_2_0103E784
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4889554696.0000000001E30000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.4899468391.0000000001160000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.4921997027.0000000001530000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.4939688952.0000000001250000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000002.4960164495.0000000001A10000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4889554696.0000000001E30000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.4899468391.0000000001160000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.4921997027.0000000001530000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.4939688952.0000000001250000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000002.4960164495.0000000001A10000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4889554696.0000000001E30000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.4899468391.0000000001160000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.4921997027.0000000001530000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.4939688952.0000000001250000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000002.4960164495.0000000001A10000.00000002.00000001.sdmpBinary or memory string: Progman
Source: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe, 00000000.00000002.4889554696.0000000001E30000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.4899468391.0000000001160000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.4921997027.0000000001530000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.4939688952.0000000001250000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000002.4960164495.0000000001A10000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries information about the installed CPU (vendor, model number etc)Show sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Queries the installation date of WindowsShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0106D5EE GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,RtlQueryPerformanceCounter,0_2_0106D5EE
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_0103B530 malloc,GetUserNameW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_0103B530
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_01079D11 GetTimeZoneInformation,0_2_01079D11
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exeCode function: 0_2_01095F75 __EH_prolog3,memset,GetVersionExW,CreateWindowExW,0_2_01095F75

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 188696 Sample: hvfpxokhvg5t3d54pzkcryxn637... Startdate: 08/11/2019 Architecture: WINDOWS Score: 16 29 PE file has a writeable .text section 2->29 6 hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe 3 26 2->6         started        9 explorer.exe 23 19 2->9         started        11 explorer.exe 10 2->11         started        13 7 other processes 2->13 process3 dnsIp4 23 205.175.241.70, 443, 49748, 49749 INS-AS-ATTDataCommunicationsServicesUS United States 6->23 25 dmws.gslb.rockwellautomation.com 205.175.244.49, 443, 49747 INS-AS-ATTDataCommunicationsServicesUS United States 6->25 27 2 other IPs or domains 6->27 15 explorer.exe 6->15         started        17 explorer.exe 6->17         started        19 explorer.exe 6->19         started        21 6 other processes 6->21 process5

Simulations

Behavior and APIs

TimeTypeDescription
23:27:35API Interceptor2x Sleep call for process: hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe modified
23:27:56API Interceptor16x Sleep call for process: explorer.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe0%VirustotalBrowse
hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe0%MetadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe.1030000.4.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
0.1.hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe.1030000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.0.hvfpxokhvg5t3d54pzkcryxn637088397994912087_1.exe.1030000.0.unpack100%AviraTR/Crypt.ZPACK.Gen2Download File

Domains

SourceDetectionScannerLabelLink
www.nosltd.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://schemas.m##0%Avira URL Cloudsafe
https://www.nosltd.com/239048.php0%Avira URL Cloudsafe
http://schemas.m0%URL Reputationsafe
http://cps.letsencrypt.org00%URL Reputationsafe
http://crl3.digicerai-dm70%Avira URL Cloudsafe
http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
http://schemas.xmlsoap.0%Avira URL Cloudsafe
http://www.nosltd.com/index.php/products/transfer-manager/get-plus-plus0%Avira URL Cloudsafe
http://www.nosltd.com/index.php/products/transfer-manager/get-plus-plus%ld%s0%Avira URL Cloudsafe
http://crl4.digi0%URL Reputationsafe
https://www.nosltd.com/rockwell_logfiles/receive_logfiles.phpidempty_%s:0%Avira URL Cloudsafe
http://schemas.mDD)0%Avira URL Cloudsafe
https://www.nosltd.com/239048.php?status=1&sessionid=hvfpxokhvg5t3d54pzkcryxn637088397994912087&vers0%Avira URL Cloudsafe
https://www.nosltd.com/239048.phpOut0%Avira URL Cloudsafe
http://crl.identrus0%Avira URL Cloudsafe
https://www.nosltd.com/0%VirustotalBrowse
https://www.nosltd.com/0%Avira URL Cloudsafe
http://www.%s.comPA0%URL Reputationsafe
http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
https://www.nosltd.com/rockwell_logfiles/receive_logfiles.php0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
INS-AS-ATTDataCommunicationsServicesUSyarnGet hashmaliciousBrowse
  • 149.158.77.235
x86Get hashmaliciousBrowse
  • 155.2.141.43
a6xUWVovtT.exeGet hashmaliciousBrowse
  • 12.168.29.176
23nfz.exeGet hashmaliciousBrowse
  • 12.106.244.5
.exeGet hashmaliciousBrowse
  • 12.106.244.5
34letter.exeGet hashmaliciousBrowse
  • 12.202.184.6
82WRmoJP2eGet hashmaliciousBrowse
  • 156.89.9.192
24.htm .exeGet hashmaliciousBrowse
  • 63.241.158.8
46text.exeGet hashmaliciousBrowse
  • 12.106.244.5
69text.exeGet hashmaliciousBrowse
  • 12.160.67.130
91607qhzhang@jihui.exeGet hashmaliciousBrowse
  • 170.22.76.10
29mail.exeGet hashmaliciousBrowse
  • 12.160.67.130
59attachment.exeGet hashmaliciousBrowse
  • 12.151.72.1
.exeGet hashmaliciousBrowse
  • 206.70.240.253
55message.exeGet hashmaliciousBrowse
  • 12.203.251.21
55youtube@youtube2.exeGet hashmaliciousBrowse
  • 12.42.129.194
.exeGet hashmaliciousBrowse
  • 12.203.251.21
29mhgs.exeGet hashmaliciousBrowse
  • 12.151.72.1
29text.exeGet hashmaliciousBrowse
  • 12.42.185.4
75xqy-oricine@cineva.exeGet hashmaliciousBrowse
  • 206.19.205.93
unknownDerco.pdfGet hashmaliciousBrowse
  • 3.3.0.2
http://buggyra.mediaGet hashmaliciousBrowse
  • 162.241.5.19
https://slivn.com/IKSE/ZS?emzo=lyn&lin=alindblom@vivaldicap.comGet hashmaliciousBrowse
  • 112.213.89.2
dh7UcfOpbC.exeGet hashmaliciousBrowse
  • 162.241.226.142
https://is.gd/1cuomPGet hashmaliciousBrowse
  • 104.25.22.21
Washingtonpost.com.htmGet hashmaliciousBrowse
  • 68.65.123.79
JavaUpdate.exeGet hashmaliciousBrowse
  • 50.22.63.140
FILE_10086131790_ZV.docGet hashmaliciousBrowse
  • 104.31.89.48
sdtecdat102401.pdfGet hashmaliciousBrowse
  • 3.3.0.2
#U266b New_VoiceAudio_538203.wavv.htmGet hashmaliciousBrowse
  • 198.23.158.61
MOGA Pivot_v1.25_apkpure.com.apkGet hashmaliciousBrowse
  • 216.58.201.78
Sharp.com.htmGet hashmaliciousBrowse
  • 143.95.72.225
scpC69A.tmp.exeGet hashmaliciousBrowse
  • 3.208.14.245
https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fimvvn.github.io%2fccim%2f&c=E,1,s2KfHZunLtZSb1cm0jOwj0_9Y-iDKF79zkIfC5Ze03RiFAdkz_AnMXM5Ad1mEyz21WkWPYCq2zDuuxsX_V37Z4zFS-WwsMzjMExo7LPy-wEnSQ,,&typo=1Get hashmaliciousBrowse
  • 185.199.111.153
https://storage.googleapis.com/friday2019811/voice-message/voice-message/recover.html?#marketing@boundarysys.comGet hashmaliciousBrowse
  • 152.199.23.37
http://click.clickanalytics208.com/s_code.js?cid=240&v=73a55f6de3dee2a751c3Get hashmaliciousBrowse
  • 81.4.122.101
https://www.jottacloud.com/s/20668402b0b3b2b4e48a7e3390482afff77Get hashmaliciousBrowse
  • 116.203.232.164
contract.docGet hashmaliciousBrowse
  • 195.123.246.12
pgCiVjBM5a.exeGet hashmaliciousBrowse
  • 5.45.143.87
https://officemte4rqk8aaybi6t75.z13.web.core.windows.net/index.php?c=john.todd@benefitmall.comGet hashmaliciousBrowse
  • 52.239.153.33
INS-AS-ATTDataCommunicationsServicesUSyarnGet hashmaliciousBrowse
  • 149.158.77.235
x86Get hashmaliciousBrowse
  • 155.2.141.43
a6xUWVovtT.exeGet hashmaliciousBrowse
  • 12.168.29.176
23nfz.exeGet hashmaliciousBrowse
  • 12.106.244.5
.exeGet hashmaliciousBrowse
  • 12.106.244.5
34letter.exeGet hashmaliciousBrowse
  • 12.202.184.6
82WRmoJP2eGet hashmaliciousBrowse
  • 156.89.9.192
24.htm .exeGet hashmaliciousBrowse
  • 63.241.158.8
46text.exeGet hashmaliciousBrowse
  • 12.106.244.5
69text.exeGet hashmaliciousBrowse
  • 12.160.67.130
91607qhzhang@jihui.exeGet hashmaliciousBrowse
  • 170.22.76.10
29mail.exeGet hashmaliciousBrowse
  • 12.160.67.130
59attachment.exeGet hashmaliciousBrowse
  • 12.151.72.1
.exeGet hashmaliciousBrowse
  • 206.70.240.253
55message.exeGet hashmaliciousBrowse
  • 12.203.251.21
55youtube@youtube2.exeGet hashmaliciousBrowse
  • 12.42.129.194
.exeGet hashmaliciousBrowse
  • 12.203.251.21
29mhgs.exeGet hashmaliciousBrowse
  • 12.151.72.1
29text.exeGet hashmaliciousBrowse
  • 12.42.185.4
75xqy-oricine@cineva.exeGet hashmaliciousBrowse
  • 206.19.205.93

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
ce5f3254611a8c095a3d821d44539877contract.docGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
41colors.exeGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
Resume.docGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
Shasta resume.docGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
40group.exeGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
mtwvc.exeGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
SCAN DOC.exeGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
malware.docmGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
1050_7044_2663.cplGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
docs_939v.993cv93.exeGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
V7ewCsfEpV.exeGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
https://u3446753.ct.sendgrid.net/wf/click?upn=smp0-2BUhTkseXhJKG9whoQ6ZCx0d-2Fp-2BLz-2FtbQLXa2kKM98GXQkjvQVaW2k7eTXtZ5ch4SbSVHWPRI9Gsq2ihXbg-3D-3D_O7ROD4svS-2BWtZVG4Rcp0Qi9t-2FvFmW6RVwIOeJatN7aN1ERGWsP5WZcj-2FyJoE8xT2vUBcaqvF9fl6vqP5cExOPO-2BhIPHcaitr-2BCMEyNzKgzBeWmVvTiRCWMRLg1Hur-2F8o4Iw0bLXTSw63ze3JnYnTJ-2B0QNa20AoNmNgmitCp-2FVyjwoZ9Yd9pkeyBmdEXMxDsWlk9Dl0OXH72YPpmLxAVUlG0Hx6MalSrfo-2FWQ9lNpoVo-3DGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
malware.exeGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
6c0b790269.exeGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
http://review6.com/wp-content/uploads/2019/07/sdlfkjwo4iufjsdlks.exeGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
QuickBooks.vbsGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
order_091019.xlsGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
order_091019.xlsGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
https://hec.su/oWaHGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49
frAtvwpiNF.xlsGet hashmaliciousBrowse
  • 205.175.241.70
  • 94.136.34.49
  • 205.175.244.49

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.