Loading ...

Play interactive tourEdit tour

Analysis Report FMANe21F1Afxd4jr1iZv.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:208682
Start date:16.02.2020
Start time:22:37:21
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 43s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:FMANe21F1Afxd4jr1iZv.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal88.troj.evad.winEXE@3/0@0/4
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 63.8% (good quality ratio 60.5%)
  • Quality average: 79.7%
  • Quality standard deviation: 28.8%
HCA Information:
  • Successful, ratio: 82%
  • Number of executed functions: 48
  • Number of non-executed functions: 458
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold880 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through API2Hidden Files and Directories1Process Injection2Masquerading12Input Capture2System Time Discovery2Application Deployment SoftwareInput Capture2Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesHidden Files and Directories1Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumUncommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionSoftware Packing1Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCommonly Used Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection2Credentials in FilesSecurity Software Discovery2Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceFile Deletion1Brute ForceSystem Information Discovery35Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information21Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: FMANe21F1Afxd4jr1iZv.exeAvira: detection malicious, Label: TR/AD.Emotet.aouip
Found malware configurationShow sources
Source: mmcndmgr.exe.5876.2.memstrMalware Configuration Extractor: Emotet {"C2 list": ["104.236.28.47/hsEe"]}
Multi AV Scanner detection for submitted fileShow sources
Source: FMANe21F1Afxd4jr1iZv.exeVirustotal: Detection: 75%Perma Link
Source: FMANe21F1Afxd4jr1iZv.exeReversingLabs TitaniumCloud: Detection: 83%

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00428AA3 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,0_2_00428AA3
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0042FC18 lstrlen,FindFirstFileA,FindClose,0_2_0042FC18
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_024030C0 FindNextFileW,FindFirstFileW,FindClose,0_2_024030C0
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_00428AA3 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,2_2_00428AA3
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0042FC18 lstrlen,FindFirstFileA,FindClose,2_2_0042FC18

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49788 -> 71.126.247.90:80
Source: TrafficSnort IDS: 2404300 ET CNC Feodo Tracker Reported CnC Server TCP group 1 192.168.2.5:49791 -> 104.236.28.47:8080
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49790 -> 80.86.91.91:8080
Source: global trafficTCP traffic: 192.168.2.5:49791 -> 104.236.28.47:8080
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 98.239.119.52 98.239.119.52
Source: Joe Sandbox ViewIP Address: 104.236.28.47 104.236.28.47
Source: Joe Sandbox ViewIP Address: 104.236.28.47 104.236.28.47
Source: Joe Sandbox ViewIP Address: 80.86.91.91 80.86.91.91
Source: Joe Sandbox ViewIP Address: 71.126.247.90 71.126.247.90
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49788 -> 71.126.247.90:80
Source: global trafficTCP traffic: 192.168.2.5:49789 -> 98.239.119.52:80
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /hsEe/YICxVEoN3pMBsmB/Bbf0AkvejSx/8qsGhyEfBUjgg/Gpdqq9a3ABnTAN/ HTTP/1.1Referer: http://104.236.28.47/hsEe/YICxVEoN3pMBsmB/Bbf0AkvejSx/8qsGhyEfBUjgg/Gpdqq9a3ABnTAN/Content-Type: multipart/form-data; boundary=---------------------------885710832299045User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 104.236.28.47:8080Content-Length: 4628Connection: Keep-AliveCache-Control: no-cache
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 98.239.119.52
Source: unknownTCP traffic detected without corresponding DNS query: 98.239.119.52
Source: unknownTCP traffic detected without corresponding DNS query: 98.239.119.52
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /hsEe/YICxVEoN3pMBsmB/Bbf0AkvejSx/8qsGhyEfBUjgg/Gpdqq9a3ABnTAN/ HTTP/1.1Referer: http://104.236.28.47/hsEe/YICxVEoN3pMBsmB/Bbf0AkvejSx/8qsGhyEfBUjgg/Gpdqq9a3ABnTAN/Content-Type: multipart/form-data; boundary=---------------------------885710832299045User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 104.236.28.47:8080Content-Length: 4628Connection: Keep-AliveCache-Control: no-cache
Urls found in memory or binary dataShow sources
Source: mmcndmgr.exe, 00000002.00000002.2389012073.0000000000199000.00000004.00000001.sdmpString found in binary or memory: http://104.236.28.47/hsEe/YICxVEoN3pMBsmB/Bbf0AkvejSx/8qsGhyEfBUjgg/Gpdqq9a3ABnTAN/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: FMANe21F1Afxd4jr1iZv.exe, 00000000.00000002.1988713747.000000000085A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0041C023 GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0041C023
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00416206 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_00416206
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0043A602 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,0_2_0043A602
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00438A32 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,0_2_00438A32
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0042D5F7 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,0_2_0042D5F7
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00437723 GetKeyState,GetKeyState,GetKeyState,0_2_00437723
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0041C023 GetKeyState,GetKeyState,GetKeyState,GetKeyState,2_2_0041C023
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_00416206 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,2_2_00416206
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0043A602 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,2_2_0043A602
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_00438A32 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,2_2_00438A32
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0042D5F7 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,2_2_0042D5F7
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_00437723 GetKeyState,GetKeyState,GetKeyState,2_2_00437723

E-Banking Fraud:

barindex
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000002.00000002.2389842760.00000000006C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.2389805215.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1988683225.0000000000840000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_004382BB NtdllDefWindowProc_A,GetWindowRect,SetRect,InvalidateRect,SetRect,InvalidateRect,SetRect,SetRect,InvalidateRect,SetRect,InvalidateRect,0_2_004382BB
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_004165F4 NtdllDefWindowProc_A,0_2_004165F4
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00418CFF __CxxThrowException@8,__snprintf_s,NtdllDefWindowProc_A,0_2_00418CFF
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00418D07 __snprintf_s,__snprintf_s,NtdllDefWindowProc_A,0_2_00418D07
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00418F60 _memset,NtdllDefWindowProc_A,0_2_00418F60
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00413773 NtdllDefWindowProc_A,CallWindowProcA,0_2_00413773
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_004382BB NtdllDefWindowProc_A,GetWindowRect,SetRect,InvalidateRect,SetRect,InvalidateRect,SetRect,SetRect,InvalidateRect,SetRect,InvalidateRect,2_2_004382BB
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_004165F4 NtdllDefWindowProc_A,2_2_004165F4
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_00418CF6 __CxxThrowException@8,__snprintf_s,NtdllDefWindowProc_A,2_2_00418CF6
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_00418D07 __snprintf_s,__snprintf_s,NtdllDefWindowProc_A,2_2_00418D07
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_00418F60 _memset,NtdllDefWindowProc_A,2_2_00418F60
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_00413773 NtdllDefWindowProc_A,CallWindowProcA,2_2_00413773
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeFile created: C:\Windows\SysWOW64\mmcndmgr\Jump to behavior
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeFile deleted: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exe:Zone.IdentifierJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0044A1200_2_0044A120
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0041826F0_2_0041826F
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_004182220_2_00418222
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0045E3C30_2_0045E3C3
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0043C4F00_2_0043C4F0
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0045E6370_2_0045E637
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_004506A90_2_004506A9
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_004567B20_2_004567B2
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_004507BF0_2_004507BF
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0045E9410_2_0045E941
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_004629120_2_00462912
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0044AC920_2_0044AC92
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0043EEA90_2_0043EEA9
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0045B0290_2_0045B029
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0045F0CB0_2_0045F0CB
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_004030800_2_00403080
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_004531CC0_2_004531CC
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0045D2F90_2_0045D2F9
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0043F37C0_2_0043F37C
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0043F7500_2_0043F750
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_004578750_2_00457875
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0045D8220_2_0045D822
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00457A620_2_00457A62
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0043FB5C0_2_0043FB5C
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00445C6F0_2_00445C6F
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0045DD640_2_0045DD64
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0044DE610_2_0044DE61
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0043FF7C0_2_0043FF7C
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0084531F0_2_0084531F
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_024059E00_2_024059E0
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_004180EC2_2_004180EC
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0044A1202_2_0044A120
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0045E3C32_2_0045E3C3
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0043C4F02_2_0043C4F0
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0045E6372_2_0045E637
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_004506A92_2_004506A9
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_004567B22_2_004567B2
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_004507BF2_2_004507BF
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0045E9412_2_0045E941
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_004629122_2_00462912
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0044AC922_2_0044AC92
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0043EEA92_2_0043EEA9
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0045B0292_2_0045B029
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0045F0CB2_2_0045F0CB
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_004030802_2_00403080
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_004531CC2_2_004531CC
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0045D2F92_2_0045D2F9
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0043F37C2_2_0043F37C
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0043F7502_2_0043F750
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_004578752_2_00457875
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0045D8222_2_0045D822
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_00457A622_2_00457A62
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0043FB5C2_2_0043FB5C
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_00445C6F2_2_00445C6F
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0045DD642_2_0045DD64
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0044DE612_2_0044DE61
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0043FF7C2_2_0043FF7C
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: String function: 0043D624 appears 97 times
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: String function: 0044556E appears 43 times
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: String function: 0041EC48 appears 56 times
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: String function: 0043CA63 appears 201 times
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: String function: 0043D624 appears 97 times
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: String function: 0044556E appears 43 times
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: String function: 0041EC48 appears 53 times
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: String function: 0043CA63 appears 200 times
PE file contains strange resourcesShow sources
Source: FMANe21F1Afxd4jr1iZv.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FMANe21F1Afxd4jr1iZv.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FMANe21F1Afxd4jr1iZv.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: FMANe21F1Afxd4jr1iZv.exe, 00000000.00000000.1969523135.00000000004C1000.00000008.00020000.sdmpBinary or memory string: OriginalFilenameHe refused to testify before the Democrat-controlledT vs FMANe21F1Afxd4jr1iZv.exe
Source: FMANe21F1Afxd4jr1iZv.exe, 00000000.00000002.1990304701.0000000002B50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs FMANe21F1Afxd4jr1iZv.exe
Source: FMANe21F1Afxd4jr1iZv.exe, 00000000.00000002.1990590162.0000000002C50000.00000002.00000001.sdmpBinary or memory string: originalfilename vs FMANe21F1Afxd4jr1iZv.exe
Source: FMANe21F1Afxd4jr1iZv.exe, 00000000.00000002.1990590162.0000000002C50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs FMANe21F1Afxd4jr1iZv.exe
Source: FMANe21F1Afxd4jr1iZv.exeBinary or memory string: OriginalFilenameHe refused to testify before the Democrat-controlledT vs FMANe21F1Afxd4jr1iZv.exe
Classification labelShow sources
Source: classification engineClassification label: mal88.troj.evad.winEXE@3/0@0/4
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0040C4C0 FindResourceA,LoadResource,FreeResource,0_2_0040C4C0
Creates mutexesShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeMutant created: \Sessions\1\BaseNamedObjects\Global\IB23B8C7D
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MB23B8C7D
Reads ini filesShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: FMANe21F1Afxd4jr1iZv.exeVirustotal: Detection: 75%
Source: FMANe21F1Afxd4jr1iZv.exeReversingLabs TitaniumCloud: Detection: 83%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exe 'C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exe C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exe
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeProcess created: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exe C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Users\User\Desktop\2005\6.2.20\ScrollerCtrl_demo\ScrollerTest\Release\ScrollerTest.pdb source: FMANe21F1Afxd4jr1iZv.exe, mmcndmgr.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_004C0C10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_004C0C10
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0043CB3B push ecx; ret 0_2_0043CB4E
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0043D669 push ecx; ret 0_2_0043D67C
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00849A9D push ecx; retf 0_2_00849AA3
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0043CB3B push ecx; ret 2_2_0043CB4E
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0043D669 push ecx; ret 2_2_0043D67C
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeExecutable created and started: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeJump to behavior
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exePE file moved: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeFile opened: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0040C2F1 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,0_2_0040C2F1
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0040C2A0 IsIconic,0_2_0040C2A0
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00412DF2 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00412DF2
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0042D6B9 IsWindowVisible,IsIconic,0_2_0042D6B9
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00427884 __ehhandler$?_Init@?$_Mpunct@_W@std@@IAEXABV_Locinfo@2@@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,0_2_00427884
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0040C2F1 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,2_2_0040C2F1
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0040C2A0 IsIconic,2_2_0040C2A0
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_00412DF2 IsIconic,GetWindowPlacement,GetWindowRect,2_2_00412DF2
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0042D6B9 IsWindowVisible,IsIconic,2_2_0042D6B9
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_00427884 __ehhandler$?_Init@?$_Mpunct@_W@std@@IAEXABV_Locinfo@2@@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,2_2_00427884
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (date check)Show sources
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-49277
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-57880
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00428AA3 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,0_2_00428AA3
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0042FC18 lstrlen,FindFirstFileA,FindClose,0_2_0042FC18
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_024030C0 FindNextFileW,FindFirstFileW,FindClose,0_2_024030C0
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_00428AA3 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,2_2_00428AA3
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0042FC18 lstrlen,FindFirstFileA,FindClose,2_2_0042FC18
Program exit pointsShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeAPI call chain: ExitProcess graph end nodegraph_0-58043
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeAPI call chain: ExitProcess graph end nodegraph_0-57747
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeAPI call chain: ExitProcess graph end nodegraph_2-49433
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeAPI call chain: ExitProcess graph end nodegraph_2-49447
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0044271F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0044271F
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_004C0C10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_004C0C10
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00403040 mov eax, dword ptr fs:[00000030h]0_2_00403040
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00840467 mov eax, dword ptr fs:[00000030h]0_2_00840467
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00842F7F mov eax, dword ptr fs:[00000030h]0_2_00842F7F
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00843D1F mov eax, dword ptr fs:[00000030h]0_2_00843D1F
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_024043E0 mov eax, dword ptr fs:[00000030h]0_2_024043E0
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_02403640 mov eax, dword ptr fs:[00000030h]0_2_02403640
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_00403040 mov eax, dword ptr fs:[00000030h]2_2_00403040
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0043C85E GetStartupInfoA,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__setenvp,__cinit,__wincmdln,0_2_0043C85E
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00444764 SetUnhandledExceptionFilter,__encode_pointer,0_2_00444764
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0044C66F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0044C66F
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0044271F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0044271F
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00444786 __decode_pointer,SetUnhandledExceptionFilter,0_2_00444786
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0043B294 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043B294
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_00444764 SetUnhandledExceptionFilter,__encode_pointer,2_2_00444764
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0044C66F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0044C66F
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0044271F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0044271F
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_00444786 __decode_pointer,SetUnhandledExceptionFilter,2_2_00444786
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0043B294 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0043B294

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: mmcndmgr.exe, 00000002.00000002.2390250585.0000000001140000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: mmcndmgr.exe, 00000002.00000002.2390250585.0000000001140000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: mmcndmgr.exe, 00000002.00000002.2390250585.0000000001140000.00000002.00000001.sdmpBinary or memory string: Progman
Source: mmcndmgr.exe, 00000002.00000002.2390250585.0000000001140000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,0_2_0045A05D
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_0045C068
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: EnumSystemLocalesA,0_2_0045C03E
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_0045C0CD
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,0_2_0045C109
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,0_2_0045A2E1
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,0_2_0045C5E9
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,0_2_0045A5A5
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,0_2_0045C75F
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,0_2_0045C724
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,0_2_0044C780
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_0045C89C
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,0_2_00464FD9
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,0_2_0041B3F3
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_004599CE
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: GetLocaleInfoA,0_2_004619BF
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: GetLocaleInfoA,0_2_0045BBC3
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: _LcidFromHexString,GetLocaleInfoA,0_2_0045BCA5
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,0_2_0045BD3B
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,0_2_0045BDAD
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,0_2_0045BF7D
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,2_2_0045A05D
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,2_2_0045C068
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: EnumSystemLocalesA,2_2_0045C03E
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,2_2_0045C0CD
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,2_2_0045C109
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,2_2_0045A2E1
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,2_2_0045C5E9
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,2_2_0045A5A5
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,2_2_0045C75F
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,2_2_0045C724
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,2_2_0044C780
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,2_2_0045C89C
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,2_2_00464FD9
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,2_2_0041B3F3
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,2_2_004599CE
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: GetLocaleInfoA,2_2_004619BF
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: GetLocaleInfoA,2_2_0045BBC3
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: _LcidFromHexString,GetLocaleInfoA,2_2_0045BCA5
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,2_2_0045BD3B
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,2_2_0045BDAD
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,2_2_0045BF7D
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_00455551 cpuid 0_2_00455551
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_004475B7 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004475B7
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0044F600 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,0_2_0044F600
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0043C85E GetStartupInfoA,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__setenvp,__cinit,__wincmdln,0_2_0043C85E
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000002.00000002.2389842760.00000000006C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.2389805215.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1988683225.0000000000840000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0040EE65 CreateBindCtx,0_2_0040EE65
Source: C:\Users\user\Desktop\FMANe21F1Afxd4jr1iZv.exeCode function: 0_2_0040FFD4 __ehhandler$___std_fs_change_permissions@12,__EH_prolog3_GS,lstrlenW,__snprintf_s,CreateBindCtx,0_2_0040FFD4
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0040EE65 CreateBindCtx,2_2_0040EE65
Source: C:\Windows\SysWOW64\mmcndmgr\mmcndmgr.exeCode function: 2_2_0040FFD4 __ehhandler$___std_fs_change_permissions@12,__EH_prolog3_GS,lstrlenW,__snprintf_s,CreateBindCtx,2_2_0040FFD4

Malware Configuration

Threatname: Emotet

{"C2 list": ["104.236.28.47/hsEe"]}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
FMANe21F1Afxd4jr1iZv.exe75%VirustotalBrowse
FMANe21F1Afxd4jr1iZv.exe84%ReversingLabs TitaniumCloud FileReputationWin32.Trojan.Emotet
FMANe21F1Afxd4jr1iZv.exe100%AviraTR/AD.Emotet.aouip

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://104.236.28.47/hsEe/YICxVEoN3pMBsmB/Bbf0AkvejSx/8qsGhyEfBUjgg/Gpdqq9a3ABnTAN/0%Avira URL Cloudsafe
http://104.236.28.47:8080/hsEe/YICxVEoN3pMBsmB/Bbf0AkvejSx/8qsGhyEfBUjgg/Gpdqq9a3ABnTAN/0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2389842760.00000000006C1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000002.00000002.2389805215.00000000006B0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.1988683225.0000000000840000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

        Unpacked PEs

        No yara matches

        Sigma Overview

        No Sigma rule has matched

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        98.239.119.52http://smarktestllc.com/smarktestllc.com/95904/h19377590014459994sm8a4ndcimtsefGet hashmaliciousBrowse
        • 98.239.119.52/4bV9XHDISanGEAB3XJ/
        104.236.28.47https://printmygame.com/wp-content/MV2VSF1FH61/eyeuxn/Get hashmaliciousBrowse
        • 104.236.28.47:8080/yohRBUJ/UJNjfPq7mCx/GIB4nD/4ymPh/
        5167-31632_County_Report.rtfGet hashmaliciousBrowse
        • 104.236.28.47:8080/qTOCLk7eJB0N7wSkI/airGiD5hVE0vdcJ/
        http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/Get hashmaliciousBrowse
        • 104.236.28.47:8080/z97ZWdfizXfGwwe/Cx9BA/
        http://www.wireup.in/oeiwosk36j3ss/INC/79wn96/xlhdd049999796-5498-mpnvitjpw5jhd/Get hashmaliciousBrowse
        • 104.236.28.47:8080/bKi1vowZfe5zkey0tB
        https://solisci.pl/static/8155709634/hckcl9086181-05369353-brlxdyqgid7day/Get hashmaliciousBrowse
        • 104.236.28.47:8080/G3kDfXyawUZt4wcjZoF
        https://triani.in/wp-admin/report/q4lk2j41/Get hashmaliciousBrowse
        • 104.236.28.47:8080/Z2OpCse
        80.86.91.91http://ln.ac.th/eng/wp-content/uploads/AEBQLTCU43OIW/Get hashmaliciousBrowse
        • 80.86.91.91:8080/x79gXJ6hcrA2EFD/muel7u/iDTplW0azzZ4T/expvo4FHU/XuhQ24NnZJtAp93/6HcwbeCtl/
        http://paksat.com.pk/tenders/browse/84z71qz/x322398315ho8ss3lmi467fm/Get hashmaliciousBrowse
        • 80.86.91.91:8080/rqc7KZaBIht0eGKl/7lh9T/9zBS37Z2c1pLchSQ/WdQcZogEeV/T0qepQUVQO2VhdJf/
        71.126.247.90http://mail.daw.lk/rainloop/docs/abzbl9903668066esolq17vvf/Get hashmaliciousBrowse
        • 71.126.247.90/UOAEodt5UzLlCQ/0dW69/MxdzEiNUxNue/
        VJW-020120 SKT-020720.docGet hashmaliciousBrowse
        • 71.126.247.90/em0StrbgyF1rMGAyHE/irxhN9ps3YEgB9agV/xAhxY/END0L/FVgPFqYg/

        Domains

        No context

        ASN

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        unknownhttps://clck.ru/MCro3Get hashmaliciousBrowse
        • 104.28.5.73
        http://hardyload.com/22783aa0106c0e89f2.jsGet hashmaliciousBrowse
        • 172.64.97.22
        http://amp.wte.net/t.aspx?S=88&URL=http%3A%2F%2Fdevros%2Epub%2Ero%2F%2EE%2EL%2F#asadowsky@earthlink.net&sdfe784r387Get hashmaliciousBrowse
        • 99.86.162.8
        http://offers.vaniacozzolino.comGet hashmaliciousBrowse
        • 108.163.203.125
        beloved.exeGet hashmaliciousBrowse
        • 104.16.155.36
        AD_loc_cl-49050_19325.docGet hashmaliciousBrowse
        • 185.180.199.51
        DHL_DOC_Ref_No_9289393922.htmlGet hashmaliciousBrowse
        • 52.216.206.109
        https://kolalilo.s3-sa-east-1.amazonaws.com/mo7amiusa5d0.htmlGet hashmaliciousBrowse
        • 35.241.19.31
        http://ardp.hldns.ru/loligang.mpslGet hashmaliciousBrowse
        • 46.246.45.171
        PI-INVTRD13022020_pdf.jsGet hashmaliciousBrowse
        • 104.20.67.143
        payment RECEIPT MT_103.exeGet hashmaliciousBrowse
        • 172.217.23.193
        PI-INVTRD13022020_pdf.jsGet hashmaliciousBrowse
        • 104.20.68.143
        https://link.email.hgtv.com/click/19455764.6697635/aHR0cHM6Ly93d3cuaGd0di5jb20vZGVzaWduL2hndHYtZHJlYW0taG9tZS9zd2VlcHN0YWtlcz9ubD1SLUhHVFY6REgyMDIwXzIwMjAtMDItMTVfSGVhZGVyJmJpZD0xOTQ1NTc2NCZjMzI9MWYwYjhiYmMyNmIzNzBiMjJiMjRmMDViOTA0M2UwNzgxZDEzZTcwMCZzc2lkPTIwMjBfSEdUVl9jb25maXJtYXRpb25fQVBJJnNuaV9ieT0xOTYwJnNuaV9nbj1NYWxl/5e10bb97283d8e21ee3d2630B39a813Get hashmaliciousBrowse
        • 209.197.3.24
        https://businesses.uber.com/empreinte-carbone.htmlGet hashmaliciousBrowse
        • 52.216.24.174
        invoice 257.xlsGet hashmaliciousBrowse
        • 47.254.171.5
        invoice 257.xlsGet hashmaliciousBrowse
        • 47.254.171.5
        Image File.docxGet hashmaliciousBrowse
        • 162.144.33.102
        Factura de febrero vencida.vbsGet hashmaliciousBrowse
        • 18.191.16.12
        Y1bN8gahvV.exeGet hashmaliciousBrowse
        • 94.177.123.138
        Image File.docxGet hashmaliciousBrowse
        • 162.144.33.102
        unknownhttps://clck.ru/MCro3Get hashmaliciousBrowse
        • 104.28.5.73
        http://hardyload.com/22783aa0106c0e89f2.jsGet hashmaliciousBrowse
        • 172.64.97.22
        http://amp.wte.net/t.aspx?S=88&URL=http%3A%2F%2Fdevros%2Epub%2Ero%2F%2EE%2EL%2F#asadowsky@earthlink.net&sdfe784r387Get hashmaliciousBrowse
        • 99.86.162.8
        http://offers.vaniacozzolino.comGet hashmaliciousBrowse
        • 108.163.203.125
        beloved.exeGet hashmaliciousBrowse
        • 104.16.155.36
        AD_loc_cl-49050_19325.docGet hashmaliciousBrowse
        • 185.180.199.51
        DHL_DOC_Ref_No_9289393922.htmlGet hashmaliciousBrowse
        • 52.216.206.109
        https://kolalilo.s3-sa-east-1.amazonaws.com/mo7amiusa5d0.htmlGet hashmaliciousBrowse
        • 35.241.19.31
        http://ardp.hldns.ru/loligang.mpslGet hashmaliciousBrowse
        • 46.246.45.171
        PI-INVTRD13022020_pdf.jsGet hashmaliciousBrowse
        • 104.20.67.143
        payment RECEIPT MT_103.exeGet hashmaliciousBrowse
        • 172.217.23.193
        PI-INVTRD13022020_pdf.jsGet hashmaliciousBrowse
        • 104.20.68.143
        https://link.email.hgtv.com/click/19455764.6697635/aHR0cHM6Ly93d3cuaGd0di5jb20vZGVzaWduL2hndHYtZHJlYW0taG9tZS9zd2VlcHN0YWtlcz9ubD1SLUhHVFY6REgyMDIwXzIwMjAtMDItMTVfSGVhZGVyJmJpZD0xOTQ1NTc2NCZjMzI9MWYwYjhiYmMyNmIzNzBiMjJiMjRmMDViOTA0M2UwNzgxZDEzZTcwMCZzc2lkPTIwMjBfSEdUVl9jb25maXJtYXRpb25fQVBJJnNuaV9ieT0xOTYwJnNuaV9nbj1NYWxl/5e10bb97283d8e21ee3d2630B39a813Get hashmaliciousBrowse
        • 209.197.3.24
        https://businesses.uber.com/empreinte-carbone.htmlGet hashmaliciousBrowse
        • 52.216.24.174
        invoice 257.xlsGet hashmaliciousBrowse
        • 47.254.171.5
        invoice 257.xlsGet hashmaliciousBrowse
        • 47.254.171.5
        Image File.docxGet hashmaliciousBrowse
        • 162.144.33.102
        Factura de febrero vencida.vbsGet hashmaliciousBrowse
        • 18.191.16.12
        Y1bN8gahvV.exeGet hashmaliciousBrowse
        • 94.177.123.138
        Image File.docxGet hashmaliciousBrowse
        • 162.144.33.102
        unknownhttps://clck.ru/MCro3Get hashmaliciousBrowse
        • 104.28.5.73
        http://hardyload.com/22783aa0106c0e89f2.jsGet hashmaliciousBrowse
        • 172.64.97.22
        http://amp.wte.net/t.aspx?S=88&URL=http%3A%2F%2Fdevros%2Epub%2Ero%2F%2EE%2EL%2F#asadowsky@earthlink.net&sdfe784r387Get hashmaliciousBrowse
        • 99.86.162.8
        http://offers.vaniacozzolino.comGet hashmaliciousBrowse
        • 108.163.203.125
        beloved.exeGet hashmaliciousBrowse
        • 104.16.155.36
        AD_loc_cl-49050_19325.docGet hashmaliciousBrowse
        • 185.180.199.51
        DHL_DOC_Ref_No_9289393922.htmlGet hashmaliciousBrowse
        • 52.216.206.109
        https://kolalilo.s3-sa-east-1.amazonaws.com/mo7amiusa5d0.htmlGet hashmaliciousBrowse
        • 35.241.19.31
        http://ardp.hldns.ru/loligang.mpslGet hashmaliciousBrowse
        • 46.246.45.171
        PI-INVTRD13022020_pdf.jsGet hashmaliciousBrowse
        • 104.20.67.143
        payment RECEIPT MT_103.exeGet hashmaliciousBrowse
        • 172.217.23.193
        PI-INVTRD13022020_pdf.jsGet hashmaliciousBrowse
        • 104.20.68.143
        https://link.email.hgtv.com/click/19455764.6697635/aHR0cHM6Ly93d3cuaGd0di5jb20vZGVzaWduL2hndHYtZHJlYW0taG9tZS9zd2VlcHN0YWtlcz9ubD1SLUhHVFY6REgyMDIwXzIwMjAtMDItMTVfSGVhZGVyJmJpZD0xOTQ1NTc2NCZjMzI9MWYwYjhiYmMyNmIzNzBiMjJiMjRmMDViOTA0M2UwNzgxZDEzZTcwMCZzc2lkPTIwMjBfSEdUVl9jb25maXJtYXRpb25fQVBJJnNuaV9ieT0xOTYwJnNuaV9nbj1NYWxl/5e10bb97283d8e21ee3d2630B39a813Get hashmaliciousBrowse
        • 209.197.3.24
        https://businesses.uber.com/empreinte-carbone.htmlGet hashmaliciousBrowse
        • 52.216.24.174
        invoice 257.xlsGet hashmaliciousBrowse
        • 47.254.171.5
        invoice 257.xlsGet hashmaliciousBrowse
        • 47.254.171.5
        Image File.docxGet hashmaliciousBrowse
        • 162.144.33.102
        Factura de febrero vencida.vbsGet hashmaliciousBrowse
        • 18.191.16.12
        Y1bN8gahvV.exeGet hashmaliciousBrowse
        • 94.177.123.138
        Image File.docxGet hashmaliciousBrowse
        • 162.144.33.102

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.