Loading ...

Play interactive tourEdit tour

Analysis Report SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:222751
Start date:15.04.2020
Start time:16:40:54
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 17m 2s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:39
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.phis.troj.spyw.evad.winEXE@61/8@13/2
EGA Information:
  • Successful, ratio: 88.9%
HDC Information:
  • Successful, ratio: 28.5% (good quality ratio 22.2%)
  • Quality average: 57.6%
  • Quality standard deviation: 38.7%
HCA Information:
  • Successful, ratio: 84%
  • Number of executed functions: 248
  • Number of non-executed functions: 206
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, taskhostw.exe, dllhost.exe, WMIADAP.exe, conhost.exe
  • Excluded IPs from analysis (whitelisted): 23.210.248.85, 205.185.216.42, 205.185.216.10, 104.107.183.121
  • Excluded domains from analysis (whitelisted): e5684.g.akamaiedge.net, fs.microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, site-cdn.onenote.net.edgekey.net
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Remcos FormBook
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting11Registry Run Keys / Startup Folder11Access Token Manipulation1Software Packing2Credentials in Files1System Time Discovery1Application Deployment SoftwareEmail Collection1Data Encrypted1Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API1Application Shimming1Process Injection712Deobfuscate/Decode Files or Information1Input Capture1Account Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumStandard Cryptographic Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExecution through Module Load1Accessibility FeaturesApplication Shimming1Scripting11Credentials in Registry1Security Software Discovery221Windows Remote ManagementClipboard Data1Automated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseGraphical User Interface1System FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationSystem Information Discovery18Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion22Brute ForceVirtualization/Sandbox Evasion22Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskAccess Token Manipulation1Two-Factor Authentication InterceptionProcess Discovery4Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection712Bash HistoryApplication Window Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Owner/User Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainRemote System Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: SLENTA.exe.4252.10.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
Multi AV Scanner detection for submitted fileShow sources
Source: SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeVirustotal: Detection: 22%Perma Link
Source: SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeReversingLabs: Detection: 45%
Yara detected FormBookShow sources
Source: Yara matchFile source: 0000001E.00000002.1414535436.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000018.00000002.1510463993.000000001EF90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1734423364.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1745776205.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000018.00000002.1355574372.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001F.00000002.1446213996.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001F.00000002.1565699193.000000001F210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001E.00000002.1579050673.000000001F210000.00000040.00000001.sdmp, type: MEMORY

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_0040A1A7 FindFirstFileW,FindNextFileW,13_2_0040A1A7
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_1_0040A1A7 FindFirstFileW,FindNextFileW,13_1_0040A1A7
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407898

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.7:49709 -> 23.105.131.161:7279
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Found strings which match to known social media urlsShow sources
Source: SLENTA.exe, 0000000A.00000003.1022637108.000000001FD41000.00000004.00000001.sdmp, SLENTA.exe, 0000000D.00000001.930648492.0000000000400000.00000040.00020000.sdmp, SLENTA.exe, 00000012.00000002.1082004616.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: SLENTA.exe, 0000000A.00000003.1022637108.000000001FD41000.00000004.00000001.sdmp, SLENTA.exe, 0000000D.00000001.930648492.0000000000400000.00000040.00020000.sdmp, SLENTA.exe, 00000012.00000002.1082004616.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: SLENTA.exe, 0000000E.00000002.1023587343.0000000000400000.00000040.00000001.sdmp, SLENTA.exe, 00000013.00000002.1119613570.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: SLENTA.exe, 00000012.00000003.1080826216.0000000002110000.00000004.00000001.sdmpString found in binary or memory: about:blankhttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/file://192.168.2.1/all/install/schedule.txthttps://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.google.ch/file:///C:/Users/user/Desktop/http.pdffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile:///C:/jbxinitvm.au3http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c4682117-3679-4656-eda9-d661f880e6ac&partnerId=retailstore2https://login.live.com/me.srfhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://www.google.ch/?gws_rd=sslhttps://www.google.ch/https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://ogs.google.com/widget/callout?hl=en&origin=https%3A%2F%2Fwww.google.ch&pid=1&spid=1&prid=19011554&pgid=19011552&puid=2950266917cd4fec&usegapi=1https://ogs.google.com/widget/callouthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: SLENTA.exe, 00000012.00000003.1080826216.0000000002110000.00000004.00000001.sdmpString found in binary or memory: about:blankhttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/file://192.168.2.1/all/install/schedule.txthttps://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.google.ch/file:///C:/Users/user/Desktop/http.pdffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile:///C:/jbxinitvm.au3http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c4682117-3679-4656-eda9-d661f880e6ac&partnerId=retailstore2https://login.live.com/me.srfhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://www.google.ch/?gws_rd=sslhttps://www.google.ch/https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://ogs.google.com/widget/callout?hl=en&origin=https%3A%2F%2Fwww.google.ch&pid=1&spid=1&prid=19011554&pgid=19011552&puid=2950266917cd4fec&usegapi=1https://ogs.google.com/widget/callouthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: SLENTA.exe, 00000012.00000003.1064425255.0000000002110000.00000004.00000001.sdmpString found in binary or memory: about:blankhttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/file://192.168.2.1/all/install/schedule.txthttps://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.google.ch/file:///C:/Users/user/Desktop/http.pdffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile:///C:/jbxinitvm.au3http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c4682117-3679-4656-eda9-d661f880e6ac&partnerId=retailstore2https://login.live.com/me.srfhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://www.google.ch/?gws_rd=sslhttps://www.google.ch/https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://ogs.google.com/widget/callout?hl=en&origin=https%3A%2F%2Fwww.google.ch&pid=1&spid=1&prid=19011554&pgid=19011552&puid=2950266917cd4fec&usegapi=1https://ogs.google.com/widget/callouthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: SLENTA.exe, 00000012.00000003.1064425255.0000000002110000.00000004.00000001.sdmpString found in binary or memory: about:blankhttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/file://192.168.2.1/all/install/schedule.txthttps://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.google.ch/file:///C:/Users/user/Desktop/http.pdffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile:///C:/jbxinitvm.au3http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c4682117-3679-4656-eda9-d661f880e6ac&partnerId=retailstore2https://login.live.com/me.srfhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://www.google.ch/?gws_rd=sslhttps://www.google.ch/https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://ogs.google.com/widget/callout?hl=en&origin=https%3A%2F%2Fwww.google.ch&pid=1&spid=1&prid=19011554&pgid=19011552&puid=2950266917cd4fec&usegapi=1https://ogs.google.com/widget/callouthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: SLENTA.exe, SLENTA.exe, 00000013.00000002.1119613570.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: SLENTA.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: SLENTA.exe, 0000000D.00000003.1044983327.0000000000959000.00000004.00000001.sdmpString found in binary or memory: t:blankhttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/file://192.168.2.1/all/install/schedule.txthttps://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.google.ch/file:///C:/Users/user/Desktop/http.pdffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile:///C:/jbxinitvm.au3http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c4682117-3679-4656-eda9-d661f880e6ac&partnerId=retailstore2https://login.live.com/me.srfhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://www.google.ch/?gws_rd=sslhttps://www.google.ch/https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://ogs.google.com/widget/callout?hl=en&origin=https%3A%2F%2Fwww.google.ch&pid=1&spid=1&prid=19011554&pgid=19011552&puid=2950266917cd4fec&usegapi=1https://ogs.google.com/widget/callouthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: SLENTA.exe, 0000000D.00000003.1044983327.0000000000959000.00000004.00000001.sdmpString found in binary or memory: t:blankhttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/file://192.168.2.1/all/install/schedule.txthttps://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.google.ch/file:///C:/Users/user/Desktop/http.pdffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile:///C:/jbxinitvm.au3http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c4682117-3679-4656-eda9-d661f880e6ac&partnerId=retailstore2https://login.live.com/me.srfhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://www.google.ch/?gws_rd=sslhttps://www.google.ch/https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://ogs.google.com/widget/callout?hl=en&origin=https%3A%2F%2Fwww.google.ch&pid=1&spid=1&prid=19011554&pgid=19011552&puid=2950266917cd4fec&usegapi=1https://ogs.google.com/widget/callouthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: cqjcc.org
Urls found in memory or binary dataShow sources
Source: dnwn.exe, 00000014.00000002.1784788632.00000000008BA000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: dnwn.exe, 00000014.00000003.1689032176.00000000008BC000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0#
Source: dnwn.exe, 00000014.00000003.1689032176.00000000008BC000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: dnwn.exe, 00000014.00000002.1784788632.00000000008BA000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: dnwn.exe, 00000014.00000002.1784788632.00000000008BA000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: dnwn.exe, 00000014.00000002.1784788632.00000000008BA000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe, 00000000.00000002.651397175.00000000021D0000.00000040.00000001.sdmp, SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe, 00000002.00000002.685495097.0000000000560000.00000040.00000001.sdmp, SLENTA.exe, 00000005.00000002.885882083.0000000002250000.00000040.00000001.sdmp, SLENTA.exe, 00000009.00000002.1627144775.0000000002170000.00000040.00000001.sdmp, svchost.exe, 0000000C.00000002.1234156381.00000000051F0000.00000040.00000001.sdmp, dnwn.exe, 0000000F.00000002.1119408000.0000000001FE0000.00000040.00000001.sdmp, dnwn.exe, 00000010.00000002.1022444504.0000000002110000.00000040.00000001.sdmp, dnwn.exe, 00000014.00000002.1743863274.0000000000560000.00000040.00000001.sdmp, dnwn.exe, 00000016.00000002.1365505759.0000000002090000.00000040.00000001.sdmp, svchost.exe, 00000017.00000002.1187534407.0000000003210000.00000040.00000001.sdmp, dnwn.exe, 00000018.00000002.1355705166.0000000000560000.00000040.00000001.sdmp, dnwn.exe, 00000019.00000002.1484550710.0000000002860000.00000040.00000001.sdmp, dnwn.exe, 0000001E.00000002.1414645054.0000000000560000.00000040.00000001.sdmpString found in binary or memory: http://myurl/myfile.bin
Source: dnwn.exe, 00000014.00000003.1689032176.00000000008BC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: SLENTA.exe, SLENTA.exe, 00000013.00000002.1119613570.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ebuddy.com
Source: SLENTA.exe, SLENTA.exe, 00000013.00000002.1119613570.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.com
Source: SLENTA.exe, 0000000E.00000002.1023587343.0000000000400000.00000040.00000001.sdmp, SLENTA.exe, 00000013.00000002.1119613570.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: SLENTA.exe, 0000000E.00000002.1023587343.0000000000400000.00000040.00000001.sdmp, SLENTA.exe, 00000013.00000002.1119613570.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comr
Source: SLENTA.exe, 0000000D.00000002.1057852931.0000000000192000.00000004.00000010.sdmp, SLENTA.exe, 00000012.00000002.1081900024.0000000000192000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
Source: SLENTA.exe, 00000015.00000001.1081294070.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://www.nirsoft.net/
Source: SLENTA.exe, 00000012.00000002.1082648045.000000000075F000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
Source: dnwn.exe, dnwn.exe, 00000010.00000002.1022444504.0000000002110000.00000040.00000001.sdmp, dnwn.exe, 00000014.00000002.1743863274.0000000000560000.00000040.00000001.sdmp, dnwn.exe, 00000016.00000002.1365505759.0000000002090000.00000040.00000001.sdmp, dnwn.exe, 00000018.00000002.1355705166.0000000000560000.00000040.00000001.sdmp, dnwn.exe, 00000019.00000002.1484550710.0000000002860000.00000040.00000001.sdmp, dnwn.exe, 0000001E.00000002.1414645054.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://cqjcc.org/bin_encrypted_1B4530.bin
Source: SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe, 00000000.00000002.651397175.00000000021D0000.00000040.00000001.sdmp, SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe, 00000002.00000002.685495097.0000000000560000.00000040.00000001.sdmp, SLENTA.exe, 00000005.00000002.885882083.0000000002250000.00000040.00000001.sdmp, SLENTA.exe, 00000009.00000002.1627144775.0000000002170000.00000040.00000001.sdmp, svchost.exe, 0000000C.00000002.1234156381.00000000051F0000.00000040.00000001.sdmp, svchost.exe, 00000017.00000002.1187534407.0000000003210000.00000040.00000001.sdmpString found in binary or memory: https://cqjcc.org/builf2_encrypted_96DB6DF.bin
Source: SLENTA.exeString found in binary or memory: https://login.yahoo.com/config/login
Source: SLENTA.exe, SLENTA.exe, 00000013.00000002.1119613570.0000000000400000.00000040.00000001.sdmpString found in binary or memory: https://www.google.com
Source: SLENTA.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_0040FDCB OpenClipboard,GetLastError,DeleteFileW,13_2_0040FDCB
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: dnwn.exe, 00000010.00000002.1022294603.0000000000670000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBookShow sources
Source: Yara matchFile source: 0000001E.00000002.1414535436.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000018.00000002.1510463993.000000001EF90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1734423364.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1745776205.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000018.00000002.1355574372.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001F.00000002.1446213996.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001F.00000002.1565699193.000000001F210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001E.00000002.1579050673.000000001F210000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 0000001E.00000002.1414535436.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000002.1414535436.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.1510463993.000000001EF90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.1510463993.000000001EF90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.1734423364.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.1734423364.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000003.858070937.000000001F8CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000014.00000002.1745776205.00000000006A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.1745776205.00000000006A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000003.950862037.00000000204A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000018.00000002.1355574372.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.1355574372.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000003.953679332.000000001FF13000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000A.00000003.858005251.000000001F8AE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000A.00000003.1007100420.000000001FF13000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000A.00000003.1119930252.000000001F92E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000A.00000003.1144187127.000000001F92E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000A.00000003.966039135.000000001FD41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000A.00000003.867393577.000000001F8CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000015.00000001.1081294070.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000000A.00000003.858272580.000000001F8FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000001F.00000002.1446213996.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.1446213996.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.1031010711.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000001A.00000000.1655960401.000000000DF9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000001D.00000001.1224377703.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000000A.00000003.965886309.000000001F92E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000A.00000003.950923358.00000000204BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000001F.00000002.1565699193.000000001F210000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.1565699193.000000001F210000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000003.1112814324.000000001FD41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000A.00000003.1156473507.000000002062A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000001E.00000002.1579050673.000000001F210000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000002.1579050673.000000001F210000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.1088443306.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000000A.00000003.1145108608.000000001FD41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000001D.00000002.1251335126.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000011.00000001.996293192.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000000A.00000003.1112882836.000000001F8AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 21.1.SLENTA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 29.1.SLENTA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 21.2.SLENTA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 29.2.SLENTA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 17.1.SLENTA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 17.2.SLENTA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Executable has a suspicious name (potential lure to open the executable)Show sources
Source: SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeStatic file information: Suspicious name
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe
Abnormal high CPU UsageShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess Stats: CPU usage > 98%
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021DA3D8 NtProtectVirtualMemory,0_2_021DA3D8
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D3876 NtWriteVirtualMemory,0_2_021D3876
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021DA88B NtResumeThread,0_2_021DA88B
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D3A5A NtWriteVirtualMemory,0_2_021D3A5A
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021DB2DC NtResumeThread,0_2_021DB2DC
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021DAADB NtResumeThread,0_2_021DAADB
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D3BDA NtWriteVirtualMemory,0_2_021D3BDA
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021DABEE NtResumeThread,0_2_021DABEE
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021DB04A NtResumeThread,0_2_021DB04A
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021DA89F NtResumeThread,0_2_021DA89F
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D38F0 NtWriteVirtualMemory,0_2_021D38F0
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021DB167 NtResumeThread,0_2_021DB167
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021DA9BE NtResumeThread,0_2_021DA9BE
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D0682 NtSetInformationThread,TerminateProcess,0_2_021D0682
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D3F0C NtWriteVirtualMemory,0_2_021D3F0C
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021DAF33 NtResumeThread,0_2_021DAF33
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D3764 NtWriteVirtualMemory,0_2_021D3764
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021DAD10 NtResumeThread,0_2_021DAD10
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D0512 NtSetInformationThread,TerminateProcess,0_2_021D0512
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D050D NtSetInformationThread,TerminateProcess,0_2_021D050D
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D3D6C NtWriteVirtualMemory,0_2_021D3D6C
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 2_2_0056A3D8 NtProtectVirtualMemory,2_2_0056A3D8
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 2_2_00560682 NtSetInformationThread,TerminateProcess,2_2_00560682
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 2_2_00560512 NtSetInformationThread,TerminateProcess,2_2_00560512
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 2_2_0056050D NtSetInformationThread,TerminateProcess,2_2_0056050D
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_02253876 NtWriteVirtualMemory,5_2_02253876
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_0225A88B NtResumeThread,5_2_0225A88B
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_0225A3D8 NtProtectVirtualMemory,5_2_0225A3D8
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_0225B04A NtResumeThread,5_2_0225B04A
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_02253A5A NtWriteVirtualMemory,5_2_02253A5A
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_02250682 NtSetInformationThread,TerminateProcess,5_2_02250682
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_0225A89F NtResumeThread,5_2_0225A89F
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_022538F0 NtWriteVirtualMemory,5_2_022538F0
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_0225B2DC NtResumeThread,5_2_0225B2DC
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_0225AADB NtResumeThread,5_2_0225AADB
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_0225AF33 NtResumeThread,5_2_0225AF33
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_0225050D NtSetInformationThread,TerminateProcess,5_2_0225050D
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_02253F0C NtWriteVirtualMemory,5_2_02253F0C
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_0225AD10 NtResumeThread,5_2_0225AD10
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_02250512 NtSetInformationThread,TerminateProcess,5_2_02250512
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_02253764 NtWriteVirtualMemory,5_2_02253764
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_0225B167 NtResumeThread,5_2_0225B167
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_02253D6C NtWriteVirtualMemory,5_2_02253D6C
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_0225A9BE NtResumeThread,5_2_0225A9BE
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_0225ABEE NtResumeThread,5_2_0225ABEE
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_02253BDA NtWriteVirtualMemory,5_2_02253BDA
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_02173876 NtWriteVirtualMemory,9_2_02173876
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_0217A88B NtResumeThread,9_2_0217A88B
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_0217A3D8 NtProtectVirtualMemory,9_2_0217A3D8
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_02173A5A NtWriteVirtualMemory,9_2_02173A5A
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_0217B04A NtResumeThread,9_2_0217B04A
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_0217A89F NtResumeThread,9_2_0217A89F
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_02170682 NtSetInformationThread,TerminateProcess,9_2_02170682
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_0217B2DC NtResumeThread,9_2_0217B2DC
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_0217AADB NtResumeThread,9_2_0217AADB
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_021738F0 NtWriteVirtualMemory,9_2_021738F0
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_02170512 NtSetInformationThread,TerminateProcess,9_2_02170512
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_0217AD10 NtResumeThread,9_2_0217AD10
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_0217050D NtSetInformationThread,TerminateProcess,9_2_0217050D
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_02173F0C NtWriteVirtualMemory,9_2_02173F0C
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_0217AF33 NtResumeThread,9_2_0217AF33
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_0217B167 NtResumeThread,9_2_0217B167
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_02173764 NtWriteVirtualMemory,9_2_02173764
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_02173D6C NtWriteVirtualMemory,9_2_02173D6C
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_0217A9BE NtResumeThread,9_2_0217A9BE
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_02173BDA NtWriteVirtualMemory,9_2_02173BDA
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 9_2_0217ABEE NtResumeThread,9_2_0217ABEE
Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_051FA3D8 NtProtectVirtualMemory,12_2_051FA3D8
Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_051F3876 NtWriteVirtualMemory,12_2_051F3876
Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_051F0512 NtSetInformationThread,TerminateProcess,12_2_051F0512
Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_051F050D NtSetInformationThread,TerminateProcess,12_2_051F050D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_051F3F0C NtWriteVirtualMemory,12_2_051F3F0C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_051F3D6C NtWriteVirtualMemory,12_2_051F3D6C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_051F3764 NtWriteVirtualMemory,12_2_051F3764
Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_051F3BDA NtWriteVirtualMemory,12_2_051F3BDA
Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_051F3A5A NtWriteVirtualMemory,12_2_051F3A5A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_051F0682 NtSetInformationThread,TerminateProcess,12_2_051F0682
Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_051F38F0 NtWriteVirtualMemory,12_2_051F38F0
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,13_2_0040A5A9
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_1_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,13_1_0040A5A9
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_00402CAC NtdllDefWindowProc_A,14_2_00402CAC
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_00402D66 NtdllDefWindowProc_A,14_2_00402D66
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FE3591 NtWriteVirtualMemory,15_2_01FE3591
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FE04D0 EnumWindows,NtSetInformationThread,TerminateProcess,15_2_01FE04D0
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FEA0B8 NtProtectVirtualMemory,15_2_01FEA0B8
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FEA65D NtResumeThread,15_2_01FEA65D
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FEADFD NtResumeThread,15_2_01FEADFD
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FEABCE NtResumeThread,15_2_01FEABCE
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FEA1C1 NtProtectVirtualMemory,15_2_01FEA1C1
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FE3BB2 NtWriteVirtualMemory,15_2_01FE3BB2
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FEA9AA NtResumeThread,15_2_01FEA9AA
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FE359C NtWriteVirtualMemory,15_2_01FE359C
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FEA78E NtResumeThread,15_2_01FEA78E
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FE3D62 NtWriteVirtualMemory,15_2_01FE3D62
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FEAF35 NtResumeThread,15_2_01FEAF35
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FE0528 NtSetInformationThread,TerminateProcess,15_2_01FE0528
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FE3725 NtWriteVirtualMemory,15_2_01FE3725
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FE0523 NtSetInformationThread,TerminateProcess,15_2_01FE0523
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FEACE0 NtResumeThread,15_2_01FEACE0
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FEB0B9 NtResumeThread,15_2_01FEB0B9
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FE06A6 NtSetInformationThread,TerminateProcess,15_2_01FE06A6
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FEA89C NtResumeThread,15_2_01FEA89C
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FE3892 NtWriteVirtualMemory,15_2_01FE3892
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_01FEA66C NtResumeThread,15_2_01FEA66C
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_004360CE13_2_004360CE
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_0040509C13_2_0040509C
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_0040519913_2_00405199
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_0043C2D013_2_0043C2D0
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_0044040613_2_00440406
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_0040451D13_2_0040451D
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_004045FF13_2_004045FF
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_0040458E13_2_0040458E
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_0040469013_2_00404690
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_00414A5113_2_00414A51
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_00404C0813_2_00404C08
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_00406C8E13_2_00406C8E
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_00415DF313_2_00415DF3
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_00416E5C13_2_00416E5C
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_00410FE413_2_00410FE4
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_1_004360CE13_1_004360CE
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_1_0040509C13_1_0040509C
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_1_0040519913_1_00405199
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_1_0043C2D013_1_0043C2D0
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_1_0044040613_1_00440406
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_1_0040451D13_1_0040451D
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_1_004045FF13_1_004045FF
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_1_0040458E13_1_0040458E
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_004050C214_2_004050C2
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_004014AB14_2_004014AB
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_0040513314_2_00405133
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_004051A414_2_004051A4
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_0040124614_2_00401246
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_0040CA4614_2_0040CA46
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_0040523514_2_00405235
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_004032C814_2_004032C8
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_004222D914_2_004222D9
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_0040168914_2_00401689
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_00402F6014_2_00402F60
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_1_004222D914_1_004222D9
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: String function: 00445190 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: String function: 00416849 appears 94 times
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: String function: 0040924D appears 53 times
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: String function: 004166E8 appears 51 times
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: String function: 00416A91 appears 132 times
Sample file is different than original file name gathered from version infoShow sources
Source: SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe, 00000000.00000002.647675002.000000000041C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDateboo.exe vs SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe
Source: SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe, 00000000.00000002.651324084.0000000002190000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe
Source: SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe, 00000000.00000002.655822991.0000000002A70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDateboo.exeFE2XTrans vs SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe
Source: SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe, 00000002.00000000.646069184.000000000041C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDateboo.exe vs SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe
Source: SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe, 00000002.00000002.819817477.000000001E8F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe
Source: SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe, 00000002.00000002.832488075.000000001E9F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe
Source: SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe, 00000002.00000002.832488075.000000001E9F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe
Yara signature matchShow sources
Source: 0000001E.00000002.1414535436.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001E.00000002.1414535436.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.1510463993.000000001EF90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.1510463993.000000001EF90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.1734423364.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.1734423364.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000003.858070937.000000001F8CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.1745776205.00000000006A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.1745776205.00000000006A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000003.950862037.00000000204A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000002.1355574372.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.1355574372.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000003.953679332.000000001FF13000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.858005251.000000001F8AE000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1007100420.000000001FF13000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1119930252.000000001F92E000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1144187127.000000001F92E000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.966039135.000000001FD41000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.867393577.000000001F8CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000015.00000001.1081294070.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000000A.00000003.858272580.000000001F8FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001F.00000002.1446213996.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.1446213996.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.1031010711.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000001A.00000000.1655960401.000000000DF9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001D.00000001.1224377703.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000000A.00000003.965886309.000000001F92E000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.950923358.00000000204BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001F.00000002.1565699193.000000001F210000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.1565699193.000000001F210000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000003.1112814324.000000001FD41000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1156473507.000000002062A000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001E.00000002.1579050673.000000001F210000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001E.00000002.1579050673.000000001F210000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.1088443306.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000000A.00000003.1145108608.000000001FD41000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001D.00000002.1251335126.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000011.00000001.996293192.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000000A.00000003.1112882836.000000001F8AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.1.SLENTA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 29.1.SLENTA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 21.2.SLENTA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 29.2.SLENTA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 17.1.SLENTA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 17.2.SLENTA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Classification labelShow sources
Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@61/8@13/2
Contains functionality for error loggingShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_004183B8 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,13_2_004183B8
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,14_2_00410DE1
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_00418842 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,13_2_00418842
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_00413C19 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,13_2_00413C19
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_004149B0 FindResourceW,SizeofResource,LoadResource,LockResource,13_2_004149B0
Creates files inside the user directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeFile created: C:\Users\user\AppData\Roaming\GoogleJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-79DIJK
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2892:120:WilError_01
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeFile created: C:\Users\user\AppData\Local\Temp\StratagemaJump to behavior
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.vbs'
PE file has an executable .text section and no other executable sectionShow sources
Source: SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Queries a list of all open handlesShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeSystem information queried: HandleInformationJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\control.exeFile read: C:\Windows\System32\drivers\etc\hosts
SQL strings found in memory and binary dataShow sources
Source: SLENTA.exe, SLENTA.exe, 00000012.00000002.1082004616.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: SLENTA.exe, SLENTA.exe, 00000012.00000002.1082004616.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: SLENTA.exe, 0000000A.00000003.1022637108.000000001FD41000.00000004.00000001.sdmp, SLENTA.exe, 0000000D.00000001.930648492.0000000000400000.00000040.00020000.sdmp, SLENTA.exe, 00000012.00000002.1082004616.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: SLENTA.exe, SLENTA.exe, 00000012.00000002.1082004616.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: SLENTA.exe, SLENTA.exe, 00000012.00000002.1082004616.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: SLENTA.exe, SLENTA.exe, 00000012.00000002.1082004616.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: SLENTA.exe, SLENTA.exe, 00000012.00000002.1082004616.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Sample is known by AntivirusShow sources
Source: SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeVirustotal: Detection: 22%
Source: SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeReversingLabs: Detection: 45%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeFile read: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe 'C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe'
Source: unknownProcess created: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe 'C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.vbs'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.vbs'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\srphppteakaagjytqbyzfyqsc'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\vluziiegosseqpuxhmlaqdcbljbw'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\fnasjapzcakjtdibrwyutqxsmpsfmdig'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\mromgkeganyurrxxsetqfiqsgoy'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\rpeijn'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\elxlkyoqzbkj'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\rvtnul'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\tpyfvdflb'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\dreqwwpnpuzp'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: unknownProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess created: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe 'C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe' Jump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\srphppteakaagjytqbyzfyqsc'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\vluziiegosseqpuxhmlaqdcbljbw'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\fnasjapzcakjtdibrwyutqxsmpsfmdig'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\mromgkeganyurrxxsetqfiqsgoy'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\rpeijn'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\elxlkyoqzbkj'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\rvtnul'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\tpyfvdflb'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe /stext 'C:\Users\user\AppData\Local\Temp\dreqwwpnpuzp'Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe'
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe'
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe'
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess created: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe'
Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Binary contains paths to debug symbolsShow sources
Source: Binary string: colorcpl.pdbGCTL source: dnwn.exe, 00000014.00000003.1714781171.00000000008C7000.00000004.00000001.sdmp
Source: Binary string: colorcpl.pdb source: dnwn.exe, 00000014.00000003.1714781171.00000000008C7000.00000004.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000001A.00000000.1643911454.000000000D560000.00000002.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: SLENTA.exe, SLENTA.exe, 00000012.00000002.1082004616.0000000000400000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: dnwn.exe, 00000014.00000002.1793922279.000000001F420000.00000040.00000001.sdmp, dnwn.exe, 00000018.00000003.1198118027.000000001EF90000.00000004.00000001.sdmp
Source: Binary string: control.pdb source: dnwn.exe, 00000018.00000002.1355650456.00000000001C0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: dnwn.exe, 00000014.00000002.1793922279.000000001F420000.00000040.00000001.sdmp, dnwn.exe, 00000018.00000003.1198118027.000000001EF90000.00000004.00000001.sdmp
Source: Binary string: control.pdbUGP source: dnwn.exe, 00000018.00000002.1355650456.00000000001C0000.00000040.00000001.sdmp
Source: Binary string: svchost.pdb source: svchost.exe, 00000017.00000002.1244809065.00000000050B0000.00000004.00000001.sdmp
Source: Binary string: svchost.pdbUGP source: svchost.exe, 00000017.00000002.1244809065.00000000050B0000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 0000001A.00000000.1643911454.000000000D560000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeUnpacked PE file: 13.2.SLENTA.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeUnpacked PE file: 14.2.SLENTA.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeUnpacked PE file: 17.2.SLENTA.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeUnpacked PE file: 18.2.SLENTA.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeUnpacked PE file: 19.2.SLENTA.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeUnpacked PE file: 21.2.SLENTA.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeUnpacked PE file: 27.2.SLENTA.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeUnpacked PE file: 28.2.SLENTA.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeUnpacked PE file: 29.2.SLENTA.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeUnpacked PE file: 13.2.SLENTA.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeUnpacked PE file: 18.2.SLENTA.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeUnpacked PE file: 27.2.SLENTA.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_004449B3 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,13_2_004449B3
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_0041190B push dword ptr [edx+2FB3CA2Ch]; retf 0_2_0041192A
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_004129DA pushad ; retf 0_2_004129DB
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_00412B3F push dword ptr [ebx+33B4CB30h]; retf 0_2_00412B49
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_0040E3FE push esp; iretd 0_2_0040E3EE
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_00408BB8 push eax; iretd 0_2_00408BEE
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_0040E3BF push esp; iretd 0_2_0040E3EE
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_00445190 push eax; ret 13_2_004451A4
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_00445190 push eax; ret 13_2_004451CC
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_00449EB4 push eax; ret 13_2_00449EC1
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_00444F79 push ecx; ret 13_2_00444F89
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_1_00445190 push eax; ret 13_1_004451A4
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_1_00445190 push eax; ret 13_1_004451CC
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_00414060 push eax; ret 14_2_00414074
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_00414060 push eax; ret 14_2_0041409C
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_00414039 push ecx; ret 14_2_00414049
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_004164EB push 0000006Ah; retf 14_2_004165C4
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_00416553 push 0000006Ah; retf 14_2_004165C4
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_00416555 push 0000006Ah; retf 14_2_004165C4
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_0040DE21 push ebp; ret 15_2_0040DE22
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_0040C29B push ss; ret 15_2_0040C2C9
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_00401152 push eax; ret 15_2_004012C9
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_00401163 push eax; ret 15_2_004012C9
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeCode function: 15_2_00402163 push dword ptr [edx-2DFFCD62h]; retn 0056h15_2_00402184

Boot Survival:

barindex
Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce regradat C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.vbsJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce regradat C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.vbsJump to behavior
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce regradatJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce regradatJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce regradatJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce regradatJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_00403BC7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,13_2_00403BC7
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Sleep loop found (likely to delay execution)Show sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeThread sleep count: Count: 1832 delay: -5Jump to behavior
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000002D97244 second address: 0000000002D9724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000002D974AE second address: 0000000002D974B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 0000000000397244 second address: 000000000039724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 00000000003974AE second address: 00000000003974B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 00000000032F7244 second address: 00000000032F724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 00000000032F74AE second address: 00000000032F74B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,13_2_0040A5A9
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeWindow / User API: threadDelayed 1832Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe TID: 4968Thread sleep time: -54000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe TID: 280Thread sleep count: 55 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe TID: 280Thread sleep time: -55000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe TID: 1508Thread sleep count: 1832 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe TID: 2744Thread sleep time: -39000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe TID: 4148Thread sleep count: 53 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exe TID: 4148Thread sleep time: -53000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe TID: 5052Thread sleep count: 65 > 30
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe TID: 624Thread sleep count: 42 > 30
Source: C:\Windows\explorer.exe TID: 4456Thread sleep time: -58000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe TID: 3732Thread sleep count: 72 > 30
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exe TID: 2976Thread sleep count: 75 > 30
Source: C:\Windows\SysWOW64\control.exe TID: 4340Thread sleep time: -50000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeLast function: Thread delayed
Source: C:\Windows\explorer.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_0040A1A7 FindFirstFileW,FindNextFileW,13_2_0040A1A7
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_1_0040A1A7 FindFirstFileW,FindNextFileW,13_1_0040A1A7
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 14_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407898
Contains functionality to query system informationShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_00418A6B memset,GetSystemInfo,13_2_00418A6B
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 0000001A.00000000.1578489485.0000000007560000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000001A.00000000.1578489485.0000000007560000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000001A.00000000.1578489485.0000000007560000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000001A.00000000.1578489485.0000000007560000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to hide a thread from the debuggerShow sources
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D0682 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,000000000_2_021D0682
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeThread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeThread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeThread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeThread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\svchost.exeThread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeThread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeThread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeThread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeThread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeThread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeThread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeThread information set: HideFromDebugger
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Stratagema\dnwn.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D4D7E LdrInitializeThunk,0_2_021D4D7E
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,13_2_0040A5A9
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 13_2_004449B3 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,13_2_004449B3
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D82A6 mov eax, dword ptr fs:[00000030h]0_2_021D82A6
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D8AD6 mov eax, dword ptr fs:[00000030h]0_2_021D8AD6
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D98FA mov eax, dword ptr fs:[00000030h]0_2_021D98FA
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D98F5 mov eax, dword ptr fs:[00000030h]0_2_021D98F5
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D461C mov eax, dword ptr fs:[00000030h]0_2_021D461C
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D2E0B mov eax, dword ptr fs:[00000030h]0_2_021D2E0B
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 0_2_021D1F0B mov eax, dword ptr fs:[00000030h]0_2_021D1F0B
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 2_2_0056461C mov eax, dword ptr fs:[00000030h]2_2_0056461C
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 2_2_00562E0B mov eax, dword ptr fs:[00000030h]2_2_00562E0B
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 2_2_00568AD6 mov eax, dword ptr fs:[00000030h]2_2_00568AD6
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 2_2_005698F5 mov eax, dword ptr fs:[00000030h]2_2_005698F5
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 2_2_005698FA mov eax, dword ptr fs:[00000030h]2_2_005698FA
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 2_2_005682A6 mov eax, dword ptr fs:[00000030h]2_2_005682A6
Source: C:\Users\user\Desktop\SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exeCode function: 2_2_00561F0B mov eax, dword ptr fs:[00000030h]2_2_00561F0B
Source: C:\Users\user\AppData\Local\Temp\Stratagema\SLENTA.exeCode function: 5_2_02252E0B mov eax, dword ptr fs:[00000030h]5_2_02252E0