Loading ...

Play interactive tourEdit tour

Windows Analysis Report duLT5gkRjy.exe

Overview

General Information

Sample Name:duLT5gkRjy.exe
Analysis ID:528744
MD5:d42456f7afc812628a9ff67d8c9340eb
SHA1:30f49d0f3d46cc9ccf8733247a0709555ad2099f
SHA256:a5b981c10065983578a2bca4399f901bd5a4e87b4ebe2d05c1f9971fb9fb36ac
Tags:exeSocelars
Infos:

Most interesting Screenshot:

Detection

Socelars
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Socelars
Multi AV Scanner detection for domain / URL
May check the online IP address of the machine
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
Enables driver privileges
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Enables security privileges

Classification

Process Tree

  • System is w10x64
  • duLT5gkRjy.exe (PID: 3892 cmdline: "C:\Users\user\Desktop\duLT5gkRjy.exe" MD5: D42456F7AFC812628A9FF67D8C9340EB)
    • WerFault.exe (PID: 4760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1116 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Socelars

{"C2 url": "http://ngdatas.pw/"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
duLT5gkRjy.exeJoeSecurity_SocelarsYara detected SocelarsJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.305417578.000000000105A000.00000002.00020000.sdmpJoeSecurity_SocelarsYara detected SocelarsJoe Security
      00000000.00000000.306515847.000000000105A000.00000002.00020000.sdmpJoeSecurity_SocelarsYara detected SocelarsJoe Security
        00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmpJoeSecurity_SocelarsYara detected SocelarsJoe Security
          00000000.00000000.298952440.000000000105A000.00000002.00020000.sdmpJoeSecurity_SocelarsYara detected SocelarsJoe Security
            Process Memory Space: duLT5gkRjy.exe PID: 3892JoeSecurity_SocelarsYara detected SocelarsJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.duLT5gkRjy.exe.f40000.0.unpackJoeSecurity_SocelarsYara detected SocelarsJoe Security
                0.0.duLT5gkRjy.exe.f40000.1.unpackJoeSecurity_SocelarsYara detected SocelarsJoe Security
                  0.2.duLT5gkRjy.exe.f40000.0.unpackJoeSecurity_SocelarsYara detected SocelarsJoe Security
                    0.0.duLT5gkRjy.exe.f40000.2.unpackJoeSecurity_SocelarsYara detected SocelarsJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: duLT5gkRjy.exeMalware Configuration Extractor: Socelars {"C2 url": "http://ngdatas.pw/"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: duLT5gkRjy.exeVirustotal: Detection: 62%Perma Link
                      Source: duLT5gkRjy.exeReversingLabs: Detection: 62%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: www.listincode.comVirustotal: Detection: 9%Perma Link
                      Source: duLT5gkRjy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.3:49742 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.3:49743 version: TLS 1.2
                      Source: duLT5gkRjy.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wininet.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdbN source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.310917911.0000000005027000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311494456.0000000003466000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311005034.0000000003466000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdbj source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdbX source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: ncrypt.pdb5 source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000004.00000002.327372019.0000000000A12000.00000004.00000001.sdmp
                      Source: Binary string: dpapi.pdbg source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.310988169.0000000003460000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311684113.0000000003460000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
                      Source: Binary string: winnsi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbV source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: schannel.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: winnsi.pdb3 source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.311380961.000000000346C000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311026320.000000000346C000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdbB source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdbD source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdbU source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: gpapi.pdb? source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: netbios.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.310988169.0000000003460000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311684113.0000000003460000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: msasn1.pdbr source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
                      Source: Binary string: rsaenh.pdb- source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: gpapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wintrust.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb` source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: urlmon.pdb~ source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbl source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: netapi32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb{ source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.311380961.000000000346C000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311026320.000000000346C000.00000004.00000001.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.311494456.0000000003466000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311005034.0000000003466000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdbt source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: dpapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeDNS query: name: iplogger.org
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: http://ngdatas.pw/
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: Joe Sandbox ViewIP Address: 149.28.253.196 149.28.253.196
                      Source: Joe Sandbox ViewIP Address: 5.9.162.45 5.9.162.45
                      Source: Joe Sandbox ViewIP Address: 5.9.162.45 5.9.162.45
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.listincode.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /1GWfv7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                      Source: duLT5gkRjy.exeString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
                      Source: duLT5gkRjy.exe, 00000000.00000003.302571040.00000000015BC000.00000004.00000001.sdmp, duLT5gkRjy.exe, 00000000.00000003.302543791.00000000015BC000.00000004.00000001.sdmp, duLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmp, WerFault.exe, 00000004.00000002.328072230.0000000004FF0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: duLT5gkRjy.exeString found in binary or memory: http://ngdatas.pw/
                      Source: duLT5gkRjy.exeString found in binary or memory: http://ngdatas.pw/https://www.listincode.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP
                      Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
                      Source: duLT5gkRjy.exeString found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExe
                      Source: duLT5gkRjy.exeString found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband
                      Source: duLT5gkRjy.exeString found in binary or memory: http://www.ecgbg.com
                      Source: duLT5gkRjy.exeString found in binary or memory: http://www.ecgbg.com/Home/Index/getdata
                      Source: duLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmpString found in binary or memory: https://iplogger.org/
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/143up7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/14Jup7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/14Qju7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/14ePy7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/169Bx7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/16ajh7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/16xjh7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1746b7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1756b7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/19iM77
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1BBCf7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1CDGu7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1CUGu7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Cr3a7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1DE477
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1G7Sc7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1GWfv7
                      Source: duLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmpString found in binary or memory: https://iplogger.org/1GWfv7=
                      Source: duLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmpString found in binary or memory: https://iplogger.org/1GWfv7eZr
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1GaLz7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Gbzj7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Gczj7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Ghzj7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1GiLz7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Gjzj7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1H3Fa7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1KyTy7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1O2BH
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1OXFG
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1OZVH
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1OhAG
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Pdet7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1RWXp7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1SWks7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Smzs7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Sxzs7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1T79i7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1T89i7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1TBch7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1TCch7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1TW3i7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1TXch7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Tkij7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1UKG97
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1UpU57
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Uts87
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1X8M97
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1XJq97
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1XKq97
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1XSq97
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Z7qd7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1aaVp7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1b4887
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1bV787
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1fHtp7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1lcZz
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1mxKf7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1pdxr7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1q6Jt7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1rDMq7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1rDMq785https://iplogger.org/1rd8N686https://iplogger.org/1spuy788https://iplog
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1rd8N6
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1rqRg7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1s4qp7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1s5qp7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1spuy7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1uS4i7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1uW6i7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1wnqn7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1x5bg7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1yXwr7
                      Source: duLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmpString found in binary or memory: https://iplogger.org/:U
                      Source: duLT5gkRjy.exeString found in binary or memory: https://prntscr.com/upload.php
                      Source: duLT5gkRjy.exeString found in binary or memory: https://prntscr.com/upload.phphttps://prntscr.com/upload.php
                      Source: duLT5gkRjy.exeString found in binary or memory: https://sm.ms/api/v2/upload?inajax=1
                      Source: duLT5gkRjy.exeString found in binary or memory: https://www.amazon.com/
                      Source: duLT5gkRjy.exeString found in binary or memory: https://www.aol.com
                      Source: duLT5gkRjy.exeString found in binary or memory: https://www.google.com
                      Source: duLT5gkRjy.exeString found in binary or memory: https://www.google.com/search?q=admob&oq=admob
                      Source: duLT5gkRjy.exeString found in binary or memory: https://www.listincode.com/
                      Source: unknownDNS traffic detected: queries for: www.listincode.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.listincode.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /1GWfv7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.3:49742 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.3:49743 version: TLS 1.2
                      Source: duLT5gkRjy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1116
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F7B0E0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F550B0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_0103095E
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00FB1090
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F61060
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F659F0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F889E0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F9F9C0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00FA1170
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_010328C0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F84130
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F83AF0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F58AA0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F7AAA0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F61A80
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F7E260
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F47A30
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F4B3F0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F63BE0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F5A3C0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F523A0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F753A0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F42380
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00FC1B70
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F4CB60
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F7FB60
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00FA0B60
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F51B40
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F69CA0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F9DC90
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F4A460
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F565C0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F8F570
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F6DD20
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F626C0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F48E60
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F67E40
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F93630
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F79790
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F96F60
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00FC6F60
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F5EF40
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F84740
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00FC0F10
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_00F62F00
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: String function: 00F47720 appears 121 times
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: String function: 00F481E0 appears 138 times
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: String function: 00F62220 appears 34 times
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: String function: 00F47470 appears 47 times
                      Source: duLT5gkRjy.exeStatic PE information: Resource name: ZIP type: Zip archive data, at least v1.0 to extract
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeProcess token adjusted: Load Driver
                      Source: duLT5gkRjy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: duLT5gkRjy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: duLT5gkRjy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeProcess token adjusted: Security
                      Source: duLT5gkRjy.exeVirustotal: Detection: 62%
                      Source: duLT5gkRjy.exeReversingLabs: Detection: 62%
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\duLT5gkRjy.exe "C:\Users\user\Desktop\duLT5gkRjy.exe"
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1116
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERC887.tmpJump to behavior
                      Source: classification engineClassification label: mal80.troj.winEXE@2/6@2/2
                      Source: duLT5gkRjy.exe, duLT5gkRjy.exe, 00000000.00000000.305417578.000000000105A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.298952440.000000000105A000.00000002.00020000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: duLT5gkRjy.exe, 00000000.00000000.305417578.000000000105A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.298952440.000000000105A000.00000002.00020000.sdmpBinary or memory string: SELECT host,name,value,expiry FROM moz_cookies where host='.facebook.com';
                      Source: duLT5gkRjy.exe, duLT5gkRjy.exe, 00000000.00000000.305417578.000000000105A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.298952440.000000000105A000.00000002.00020000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: duLT5gkRjy.exe, duLT5gkRjy.exe, 00000000.00000000.305417578.000000000105A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.298952440.000000000105A000.00000002.00020000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: duLT5gkRjy.exe, 00000000.00000000.305417578.000000000105A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.298952440.000000000105A000.00000002.00020000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3892
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeMutant created: \Sessions\1\BaseNamedObjects\patatoes
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: duLT5gkRjy.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: duLT5gkRjy.exeStatic file information: File size 1552896 > 1048576
                      Source: duLT5gkRjy.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x112400
                      Source: duLT5gkRjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: duLT5gkRjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: duLT5gkRjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: duLT5gkRjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: duLT5gkRjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: duLT5gkRjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: duLT5gkRjy.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: duLT5gkRjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wininet.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdbN source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.310917911.0000000005027000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311494456.0000000003466000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311005034.0000000003466000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdbj source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdbX source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: ncrypt.pdb5 source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000004.00000002.327372019.0000000000A12000.00000004.00000001.sdmp
                      Source: Binary string: dpapi.pdbg source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.310988169.0000000003460000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311684113.0000000003460000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
                      Source: Binary string: winnsi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbV source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: schannel.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: winnsi.pdb3 source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.311380961.000000000346C000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311026320.000000000346C000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdbB source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdbD source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdbU source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: gpapi.pdb? source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: netbios.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.310988169.0000000003460000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311684113.0000000003460000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: msasn1.pdbr source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
                      Source: Binary string: rsaenh.pdb- source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: gpapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wintrust.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb` source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: urlmon.pdb~ source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbl source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: netapi32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb{ source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.311380961.000000000346C000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311026320.000000000346C000.00000004.00000001.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.311494456.0000000003466000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311005034.0000000003466000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdbt source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: dpapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
                      Source: duLT5gkRjy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: duLT5gkRjy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: duLT5gkRjy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: duLT5gkRjy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: duLT5gkRjy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: duLT5gkRjy.exeStatic PE information: section name: .ogtrfyj
                      Source: duLT5gkRjy.exeStatic PE information: section name: .ogtrfyj
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: Amcache.hve.4.drBinary or memory string: VMware
                      Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.4.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.4.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: WerFault.exe, 00000004.00000002.328060193.0000000004FDA000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000002.328024784.0000000004F1E000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.4.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
                      Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_0102B8A6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_010383D7 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_010424F8 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_0102B8A6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_01024F72 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: duLT5gkRjy.exe, 00000000.00000000.307006199.0000000001D30000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.305763813.0000000001D30000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: duLT5gkRjy.exe, 00000000.00000000.307006199.0000000001D30000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.305763813.0000000001D30000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: duLT5gkRjy.exe, 00000000.00000000.307006199.0000000001D30000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.305763813.0000000001D30000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: duLT5gkRjy.exe, 00000000.00000000.307006199.0000000001D30000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.305763813.0000000001D30000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_01026304 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 0_2_010429E0 _free,_free,_free,GetTimeZoneInformation,_free,
                      Source: Amcache.hve.4.dr, Amcache.hve.LOG1.4.drBinary or memory string: c:\users\user\desktop\procexp.exe
                      Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.4.dr, Amcache.hve.LOG1.4.drBinary or memory string: procexp.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected SocelarsShow sources
                      Source: Yara matchFile source: duLT5gkRjy.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.duLT5gkRjy.exe.f40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.duLT5gkRjy.exe.f40000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.duLT5gkRjy.exe.f40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.duLT5gkRjy.exe.f40000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.305417578.000000000105A000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.306515847.000000000105A000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.298952440.000000000105A000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: duLT5gkRjy.exe PID: 3892, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationLSASS Driver1Process Injection2Virtualization/Sandbox Evasion1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsLSASS Driver1Process Injection2LSASS MemorySecurity Software Discovery31Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol113SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      duLT5gkRjy.exe62%VirustotalBrowse
                      duLT5gkRjy.exe62%ReversingLabsWin32.Adware.ExtInstaller

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      www.listincode.com10%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.channelinfo.pw/index.php/Home/Index/getExe0%URL Reputationsafe
                      http://ngdatas.pw/https://www.listincode.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP0%URL Reputationsafe
                      http://www.ecgbg.com0%VirustotalBrowse
                      http://www.ecgbg.com0%Avira URL Cloudsafe
                      https://www.listincode.com/0%URL Reputationsafe
                      http://www.ecgbg.com/Home/Index/getdata0%Avira URL Cloudsafe
                      http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband0%URL Reputationsafe
                      http://ngdatas.pw/0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      iplogger.org
                      5.9.162.45
                      truefalse
                        high
                        www.listincode.com
                        149.28.253.196
                        truetrueunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://iplogger.org/1GWfv7false
                          high
                          https://www.listincode.com/true
                          • URL Reputation: safe
                          unknown
                          http://ngdatas.pw/true
                          • URL Reputation: safe
                          unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://iplogger.org/1KyTy7duLT5gkRjy.exefalse
                            high
                            https://iplogger.org/14Qju7duLT5gkRjy.exefalse
                              high
                              https://iplogger.org/1Gjzj7duLT5gkRjy.exefalse
                                high
                                https://iplogger.org/1756b7duLT5gkRjy.exefalse
                                  high
                                  https://iplogger.org/1Gbzj7duLT5gkRjy.exefalse
                                    high
                                    https://iplogger.org/1TBch7duLT5gkRjy.exefalse
                                      high
                                      https://iplogger.org/1Cr3a7duLT5gkRjy.exefalse
                                        high
                                        https://iplogger.org/1spuy7duLT5gkRjy.exefalse
                                          high
                                          https://iplogger.org/1UKG97duLT5gkRjy.exefalse
                                            high
                                            http://www.channelinfo.pw/index.php/Home/Index/getExeduLT5gkRjy.exefalse
                                            • URL Reputation: safe
                                            unknown
                                            https://iplogger.org/duLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmpfalse
                                              high
                                              https://iplogger.org/1fHtp7duLT5gkRjy.exefalse
                                                high
                                                https://iplogger.org/1XJq97duLT5gkRjy.exefalse
                                                  high
                                                  https://iplogger.org/1BBCf7duLT5gkRjy.exefalse
                                                    high
                                                    http://ngdatas.pw/https://www.listincode.com/0.0.0.0%d.%d.%d.%dhttp-1ZIPduLT5gkRjy.exetrue
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://iplogger.org/143up7duLT5gkRjy.exefalse
                                                      high
                                                      https://iplogger.org/1DE477duLT5gkRjy.exefalse
                                                        high
                                                        https://iplogger.org/1Tkij7duLT5gkRjy.exefalse
                                                          high
                                                          https://iplogger.org/1T79i7duLT5gkRjy.exefalse
                                                            high
                                                            https://www.google.comduLT5gkRjy.exefalse
                                                              high
                                                              http://www.ecgbg.comduLT5gkRjy.exefalse
                                                              • 0%, Virustotal, Browse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://iplogger.org/1s5qp7duLT5gkRjy.exefalse
                                                                high
                                                                https://iplogger.org/1Uts87duLT5gkRjy.exefalse
                                                                  high
                                                                  https://iplogger.org/1TCch7duLT5gkRjy.exefalse
                                                                    high
                                                                    https://iplogger.org/1G7Sc7duLT5gkRjy.exefalse
                                                                      high
                                                                      https://iplogger.org/1GWfv7eZrduLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmpfalse
                                                                        high
                                                                        https://iplogger.org/1OhAGduLT5gkRjy.exefalse
                                                                          high
                                                                          https://iplogger.org/1b4887duLT5gkRjy.exefalse
                                                                            high
                                                                            https://iplogger.org/1pdxr7duLT5gkRjy.exefalse
                                                                              high
                                                                              https://iplogger.org/1rqRg7duLT5gkRjy.exefalse
                                                                                high
                                                                                https://iplogger.org/1aaVp7duLT5gkRjy.exefalse
                                                                                  high
                                                                                  http://www.ecgbg.com/Home/Index/getdataduLT5gkRjy.exefalse
                                                                                  • Avira URL Cloud: safe
                                                                                  unknown
                                                                                  https://iplogger.org/1H3Fa7duLT5gkRjy.exefalse
                                                                                    high
                                                                                    https://iplogger.org/1OZVHduLT5gkRjy.exefalse
                                                                                      high
                                                                                      https://iplogger.org/1UpU57duLT5gkRjy.exefalse
                                                                                        high
                                                                                        https://iplogger.org/1rd8N6duLT5gkRjy.exefalse
                                                                                          high
                                                                                          https://iplogger.org/1O2BHduLT5gkRjy.exefalse
                                                                                            high
                                                                                            https://iplogger.org/1Pdet7duLT5gkRjy.exefalse
                                                                                              high
                                                                                              http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeabandduLT5gkRjy.exefalse
                                                                                              • URL Reputation: safe
                                                                                              unknown
                                                                                              https://iplogger.org/1x5bg7duLT5gkRjy.exefalse
                                                                                                high
                                                                                                https://iplogger.org/1XKq97duLT5gkRjy.exefalse
                                                                                                  high
                                                                                                  https://iplogger.org/1XSq97duLT5gkRjy.exefalse
                                                                                                    high
                                                                                                    https://iplogger.org/1746b7duLT5gkRjy.exefalse
                                                                                                      high
                                                                                                      https://iplogger.org/19iM77duLT5gkRjy.exefalse
                                                                                                        high
                                                                                                        https://iplogger.org/169Bx7duLT5gkRjy.exefalse
                                                                                                          high
                                                                                                          https://iplogger.org/1T89i7duLT5gkRjy.exefalse
                                                                                                            high
                                                                                                            https://iplogger.org/1rDMq785https://iplogger.org/1rd8N686https://iplogger.org/1spuy788https://iplogduLT5gkRjy.exefalse
                                                                                                              high
                                                                                                              https://iplogger.org/1s4qp7duLT5gkRjy.exefalse
                                                                                                                high
                                                                                                                https://iplogger.org/1uS4i7duLT5gkRjy.exefalse
                                                                                                                  high
                                                                                                                  https://iplogger.org/1uW6i7duLT5gkRjy.exefalse
                                                                                                                    high
                                                                                                                    https://iplogger.org/16ajh7duLT5gkRjy.exefalse
                                                                                                                      high
                                                                                                                      https://iplogger.org/14ePy7duLT5gkRjy.exefalse
                                                                                                                        high
                                                                                                                        https://iplogger.org/16xjh7duLT5gkRjy.exefalse
                                                                                                                          high
                                                                                                                          https://iplogger.org/1wnqn7duLT5gkRjy.exefalse
                                                                                                                            high
                                                                                                                            https://iplogger.org/1X8M97duLT5gkRjy.exefalse
                                                                                                                              high
                                                                                                                              https://www.amazon.com/duLT5gkRjy.exefalse
                                                                                                                                high
                                                                                                                                https://iplogger.org/1Ghzj7duLT5gkRjy.exefalse
                                                                                                                                  high
                                                                                                                                  https://iplogger.org/1rDMq7duLT5gkRjy.exefalse
                                                                                                                                    high
                                                                                                                                    http://upx.sf.netAmcache.hve.4.drfalse
                                                                                                                                      high
                                                                                                                                      https://iplogger.org/1lcZzduLT5gkRjy.exefalse
                                                                                                                                        high
                                                                                                                                        https://iplogger.org/1TW3i7duLT5gkRjy.exefalse
                                                                                                                                          high
                                                                                                                                          https://iplogger.org/1Z7qd7duLT5gkRjy.exefalse
                                                                                                                                            high
                                                                                                                                            https://iplogger.org/1q6Jt7duLT5gkRjy.exefalse
                                                                                                                                              high
                                                                                                                                              https://iplogger.org/1mxKf7duLT5gkRjy.exefalse
                                                                                                                                                high
                                                                                                                                                https://iplogger.org/1CUGu7duLT5gkRjy.exefalse
                                                                                                                                                  high
                                                                                                                                                  https://iplogger.org/1OXFGduLT5gkRjy.exefalse
                                                                                                                                                    high
                                                                                                                                                    https://iplogger.org/:UduLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmpfalse
                                                                                                                                                      high
                                                                                                                                                      https://iplogger.org/1bV787duLT5gkRjy.exefalse
                                                                                                                                                        high
                                                                                                                                                        https://prntscr.com/upload.phpduLT5gkRjy.exefalse
                                                                                                                                                          high
                                                                                                                                                          https://sm.ms/api/v2/upload?inajax=1duLT5gkRjy.exefalse
                                                                                                                                                            high
                                                                                                                                                            https://www.google.com/search?q=admob&oq=admobduLT5gkRjy.exefalse
                                                                                                                                                              high
                                                                                                                                                              https://iplogger.org/14Jup7duLT5gkRjy.exefalse
                                                                                                                                                                high
                                                                                                                                                                https://iplogger.org/1GWfv7=duLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmpfalse
                                                                                                                                                                  high
                                                                                                                                                                  https://iplogger.org/1SWks7duLT5gkRjy.exefalse
                                                                                                                                                                    high
                                                                                                                                                                    https://iplogger.org/1TXch7duLT5gkRjy.exefalse
                                                                                                                                                                      high
                                                                                                                                                                      https://iplogger.org/1Gczj7duLT5gkRjy.exefalse
                                                                                                                                                                        high
                                                                                                                                                                        https://iplogger.org/1Sxzs7duLT5gkRjy.exefalse
                                                                                                                                                                          high
                                                                                                                                                                          https://iplogger.org/1GiLz7duLT5gkRjy.exefalse
                                                                                                                                                                            high
                                                                                                                                                                            https://prntscr.com/upload.phphttps://prntscr.com/upload.phpduLT5gkRjy.exefalse
                                                                                                                                                                              high
                                                                                                                                                                              https://iplogger.org/1GaLz7duLT5gkRjy.exefalse
                                                                                                                                                                                high
                                                                                                                                                                                https://iplogger.org/1Smzs7duLT5gkRjy.exefalse
                                                                                                                                                                                  high
                                                                                                                                                                                  https://www.aol.comduLT5gkRjy.exefalse
                                                                                                                                                                                    high
                                                                                                                                                                                    https://iplogger.org/1CDGu7duLT5gkRjy.exefalse
                                                                                                                                                                                      high
                                                                                                                                                                                      https://iplogger.org/1yXwr7duLT5gkRjy.exefalse
                                                                                                                                                                                        high

                                                                                                                                                                                        Contacted IPs

                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                        Public

                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                        149.28.253.196
                                                                                                                                                                                        www.listincode.comUnited States
                                                                                                                                                                                        20473AS-CHOOPAUStrue
                                                                                                                                                                                        5.9.162.45
                                                                                                                                                                                        iplogger.orgGermany
                                                                                                                                                                                        24940HETZNER-ASDEfalse

                                                                                                                                                                                        General Information

                                                                                                                                                                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                                                        Analysis ID:528744
                                                                                                                                                                                        Start date:25.11.2021
                                                                                                                                                                                        Start time:18:30:10
                                                                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                                                                        Overall analysis duration:0h 7m 52s
                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                        Report type:light
                                                                                                                                                                                        Sample file name:duLT5gkRjy.exe
                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                                        Run name:Run with higher sleep bypass
                                                                                                                                                                                        Number of analysed new started processes analysed:20
                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                        Technologies:
                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                        • HDC enabled
                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                        Classification:mal80.troj.winEXE@2/6@2/2
                                                                                                                                                                                        EGA Information:Failed
                                                                                                                                                                                        HDC Information:Failed
                                                                                                                                                                                        HCA Information:Failed
                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                        • Adjust boot time
                                                                                                                                                                                        • Enable AMSI
                                                                                                                                                                                        • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                                                                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                                                                        Warnings:
                                                                                                                                                                                        Show All
                                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 13.89.179.12
                                                                                                                                                                                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, arc.msn.com
                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                        Simulations

                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                        No simulations

                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                        IPs

                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                        149.28.253.196duLT5gkRjy.exeGet hashmaliciousBrowse
                                                                                                                                                                                          EaCmG75WxF.exeGet hashmaliciousBrowse
                                                                                                                                                                                            EaCmG75WxF.exeGet hashmaliciousBrowse
                                                                                                                                                                                              OPKyR75fJn.exeGet hashmaliciousBrowse
                                                                                                                                                                                                LZxr7xI4nc.exeGet hashmaliciousBrowse
                                                                                                                                                                                                  3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exeGet hashmaliciousBrowse
                                                                                                                                                                                                      23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exeGet hashmaliciousBrowse
                                                                                                                                                                                                        6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          FhP4JYCU7J.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            FhP4JYCU7J.exeGet hashmaliciousBrowse
                                                                                                                                                                                                              44E401AAF0B52528AA033257C1A1B8A09A2B10EDF26ED.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  WQRrng5aiw.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                    WQRrng5aiw.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      22BA4262D93379DE524029DAFC7528E431E56A22CB293.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                        kq5Of3SOMZ.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                          QABYgAqa5Z.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                            aBGNeDS7yM.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                              aBGNeDS7yM.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                5.9.162.45VDnn1698j5.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • iplogger.org/1YLyj7
                                                                                                                                                                                                                                TEiwRyJ2v1.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • iplogger.org/1YLyj7
                                                                                                                                                                                                                                sBz6zVtsB1.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • iplogger.org/1YLyj7
                                                                                                                                                                                                                                qTtykpVyaY.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • iplogger.org/1YLyj7
                                                                                                                                                                                                                                mXLL1BHUQh.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • iplogger.org/1YLyj7
                                                                                                                                                                                                                                EVhIUVrKx8.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • iplogger.org/2A2xh6
                                                                                                                                                                                                                                pQscpg84Lh.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • iplogger.org/1PZN77
                                                                                                                                                                                                                                pl8c1emoOu.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • iplogger.org/1juiu7
                                                                                                                                                                                                                                RmzVjXQ0a6.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • iplogger.org/1juiu7
                                                                                                                                                                                                                                fMo9q56dnX.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • iplogger.org/1juiu7
                                                                                                                                                                                                                                Screenshot00112021.scr.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • iplogger.org/1BwFn7.gz
                                                                                                                                                                                                                                SAlxtNmHFR.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • iplogger.org/1BTpm7

                                                                                                                                                                                                                                Domains

                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                                                iplogger.orgVYeSXonMT1.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                duLT5gkRjy.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                EaCmG75WxF.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                EaCmG75WxF.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                j0UcwcqjvM.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                0K31jgS20G.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                vAsfZhw32P.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                FhP4JYCU7J.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                FhP4JYCU7J.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                WQRrng5aiw.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                WQRrng5aiw.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                e8rimWGicH.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                kq5Of3SOMZ.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                RtpLhZOyaf.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                vWNrGi9qLx.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                VDnn1698j5.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                TEiwRyJ2v1.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                iIrI72Motw.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                www.listincode.comduLT5gkRjy.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                EaCmG75WxF.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                EaCmG75WxF.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                FhP4JYCU7J.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                FhP4JYCU7J.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                WQRrng5aiw.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                WQRrng5aiw.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                kq5Of3SOMZ.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                aBGNeDS7yM.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                aBGNeDS7yM.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                f4gxrcTDkV.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                SOO6hKZ7M0.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                SOO6hKZ7M0.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                f4gxrcTDkV.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                I6erIt5Uil.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                I6erIt5Uil.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                B4A1AFA93C65EBA3AB6EFEB4624DCC8D65DBDEFEFE682.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                fXlJhe5OGb.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196

                                                                                                                                                                                                                                ASN

                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                                                AS-CHOOPAUSduLT5gkRjy.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                EaCmG75WxF.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                EaCmG75WxF.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                EzCOXP6oxy.dllGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 66.42.57.149
                                                                                                                                                                                                                                IkroV40UrZ.dllGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 66.42.57.149
                                                                                                                                                                                                                                C1Q17Dg4RT.dllGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 66.42.57.149
                                                                                                                                                                                                                                MakbLShaqA.dllGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 66.42.57.149
                                                                                                                                                                                                                                MakbLShaqA.dllGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 66.42.57.149
                                                                                                                                                                                                                                OPKyR75fJn.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                Ljm7n1QDZeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 68.232.173.117
                                                                                                                                                                                                                                Jx35I5pwgdGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 66.42.54.65
                                                                                                                                                                                                                                tUJXpPwU27.dllGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 66.42.57.149
                                                                                                                                                                                                                                LZxr7xI4nc.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                asbestos_safety_and_eradication_agency_enterprise_agreement 41573 .jsGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 45.76.154.237
                                                                                                                                                                                                                                23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                DA8063D9EB60622915D492542A6A8AE318BC87B4C5F89.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 155.138.201.103
                                                                                                                                                                                                                                asbestos_safety_and_eradication_agency_enterprise_agreement 64081 .jsGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 45.76.154.237
                                                                                                                                                                                                                                pYebrdRKvR.dllGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 66.42.57.149
                                                                                                                                                                                                                                HETZNER-ASDEVYeSXonMT1.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                duLT5gkRjy.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                EaCmG75WxF.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                8p2NlqFgew.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 49.12.42.56
                                                                                                                                                                                                                                EaCmG75WxF.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                EzCOXP6oxy.dllGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 78.47.204.80
                                                                                                                                                                                                                                IkroV40UrZ.dllGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 78.47.204.80
                                                                                                                                                                                                                                C1Q17Dg4RT.dllGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 78.47.204.80
                                                                                                                                                                                                                                ff0231.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.96.94
                                                                                                                                                                                                                                MakbLShaqA.dllGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 78.47.204.80
                                                                                                                                                                                                                                MakbLShaqA.dllGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 78.47.204.80
                                                                                                                                                                                                                                Zr26f1rL6r.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 88.99.22.5
                                                                                                                                                                                                                                OPKyR75fJn.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                meerkat.arm7Get hashmaliciousBrowse
                                                                                                                                                                                                                                • 148.251.220.118
                                                                                                                                                                                                                                oQANZnrt9dGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 135.181.142.151
                                                                                                                                                                                                                                tUJXpPwU27.dllGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 78.47.204.80
                                                                                                                                                                                                                                LZxr7xI4nc.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 5.9.162.45

                                                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                                                37f463bf4616ecd445d4a1937da06e19duLT5gkRjy.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                EaCmG75WxF.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                fpvN6iDp5r.msiGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                EaCmG75WxF.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                Se adjunta el pedido, proforma.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                Statement.htmlGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                Michal November 23, 2021.htmlGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                survey-1384723731.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                Wfedtqxbgeorkwcgiehsnsjbdjghrpjtlr.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                survey-1378794827.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                Zr26f1rL6r.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                mN2NobuuDv.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                cs.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                ORDINE + DDT A.M.F SpA.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                mal1.htmlGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                DOC5629.htmGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                Racun je u prilogu.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                exe.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45
                                                                                                                                                                                                                                INF-BRdocsx.NDVDELDKRS.msiGet hashmaliciousBrowse
                                                                                                                                                                                                                                • 149.28.253.196
                                                                                                                                                                                                                                • 5.9.162.45

                                                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_duLT5gkRjy.exe_1716a7dbaca25d22b8ce403b85cf2c886155787b_b69a8483_13b5e2e5\Report.wer
                                                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                                                                Entropy (8bit):1.0233191102109929
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:Anc8oB6HBUZMXYjmH6v8/u7sOS274Itc1:dBSBUZMXYj18/u7sOX4Itc
                                                                                                                                                                                                                                MD5:64532E6982B75B13DCB8E8AFE3E5D9E0
                                                                                                                                                                                                                                SHA1:4F58B6E10EBA0E84C59F55D67F5D450350A44670
                                                                                                                                                                                                                                SHA-256:1BF3C2BBF16B5EED060FD344A1E2879505549B8417BA80CC436F9689C0ABD050
                                                                                                                                                                                                                                SHA-512:67B5736CB2CA94A37AF63A7B3C26DA5E3EA27800A15799EB5019E6E6029993485AFD14C4C2C06DB4B727A71937E2AE0851784CD9386580198F4FA7D2FBAE4D5B
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.3.6.7.4.7.7.6.4.2.1.6.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.3.6.7.4.8.2.9.8.5.8.9.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.4.8.f.e.a.e.-.a.2.2.7.-.4.3.8.1.-.a.0.6.0.-.2.7.1.d.9.9.2.9.a.b.6.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.6.e.1.0.5.5.-.7.8.7.5.-.4.e.0.f.-.a.5.2.b.-.e.f.d.a.6.6.5.8.5.9.3.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.u.L.T.5.g.k.R.j.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.3.4.-.0.0.0.1.-.0.0.1.c.-.5.5.7.b.-.e.7.a.c.6.d.e.2.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.c.8.5.b.f.e.1.d.6.f.e.f.d.b.d.a.c.0.f.9.1.5.3.d.0.2.f.9.b.5.5.0.0.0.0.0.9.0.4.!.0.0.0.0.3.0.f.4.9.d.0.f.3.d.4.6.c.c.9.c.c.f.8.7.3.3.2.4.7.a.0.7.0.9.5.5.5.a.d.2.0.9.9.f.!.d.u.L.T.5.g.k.R.j.y...e.x.e.....T.a.r.g.e.t.A.p.p.
                                                                                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC887.tmp.dmp
                                                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                File Type:Mini DuMP crash report, 14 streams, Fri Nov 26 02:31:19 2021, 0x1205a4 type
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):133586
                                                                                                                                                                                                                                Entropy (8bit):1.9575006011588891
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:a6GOGq543us47/2TTV50q1LWT67lBm8k:nGqqZ4LKVdLial08k
                                                                                                                                                                                                                                MD5:7FA23BBCFBD011A38BF36DD254ACF6B0
                                                                                                                                                                                                                                SHA1:8410BD2F5824B1AB8989369B9A3C628837D348A3
                                                                                                                                                                                                                                SHA-256:82EA97751C7F3D31CD2F84A0E68B9B1DB72EAF45EB3C134ECD34380AF75A4B13
                                                                                                                                                                                                                                SHA-512:66C5ED495472BB3B42958DBE84FC4AFAE843C19DD63B4CE0340C0948885406627107C9E120FCA7ACC933223A433E64AF51235EC1A6BA61AF9E8141EB4DA80F90
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Preview: MDMP....... ........F.a............D...........,...L............Q..........T.......8...........T............J.............x#..........d%...................................................................U...........B.......%......GenuineIntelW...........T.......4....F.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD308.tmp.WERInternalMetadata.xml
                                                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):8306
                                                                                                                                                                                                                                Entropy (8bit):3.700997041446704
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:Rrl7r3GLNioa6I6YFMSUUmagmffSFCpr2f89bF7sfSXm:RrlsNiF6I6YuSUUmagmffScFAf7
                                                                                                                                                                                                                                MD5:33CB3256453AE76BE6D89398FA592F7E
                                                                                                                                                                                                                                SHA1:8654B77403BFA841A21276F51A95605ABCCD816C
                                                                                                                                                                                                                                SHA-256:D9596FBC7F7EFDDB3A2DF46D3F688C8E12253C9DF81DDEE5C0EC5D5BB4F2FCBC
                                                                                                                                                                                                                                SHA-512:6CAEF9E616B5ACF2A02E23A09A154260AB0B0F478D92D6E4856FCB2D484A881ADF00E786C2F58D911D5EE1EA39DF6D5054EF959232206B660E317A5BAB379766
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.8.9.2.<./.P.i.d.>.......
                                                                                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD693.tmp.xml
                                                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4563
                                                                                                                                                                                                                                Entropy (8bit):4.475383153915464
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:48:cvIwSD8zssJgtWI9CUWSC8BeZ8fm8M4JnCfBifsFw+q8OxuDOj5tdF0q0Fd:uITfqFNSNQeJnC81XQStdF0q0Fd
                                                                                                                                                                                                                                MD5:D76B493DDC621380DC76E582217ED256
                                                                                                                                                                                                                                SHA1:143AAB5BDD3F857150EA509D20A43E5E361563A6
                                                                                                                                                                                                                                SHA-256:896B01034D3EBB0E57C1E297E7109C2E2CEAE8E0469E193D3DACBB65A8DD8D1C
                                                                                                                                                                                                                                SHA-512:D471889DE7BE37B3D8EB3085CBF3A68A7999273AE4F34000E9D697A3E7BFFCB268D9A691196B90D82744F347EB56CC7D377B7C2A6791BEC85C5CEBF003EDF09E
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1270781" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                                                                                                C:\Windows\appcompat\Programs\Amcache.hve
                                                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1572864
                                                                                                                                                                                                                                Entropy (8bit):4.2725546722942855
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:0DA07ZfdOy5nfGhGoOf0kxdQFkRT5dZc/sv8p/OxOHoVoIi2p0L3O:MA07ZfdOy5nfGhiK
                                                                                                                                                                                                                                MD5:A6693480A81EF21D7876A7896A7A3749
                                                                                                                                                                                                                                SHA1:C7B276BF35B42C64272A88CD7BB06921597B5F76
                                                                                                                                                                                                                                SHA-256:7F61CC853388EEF9D9D3486AF095472F0D7FFB818D0DBACB6AD27054DC568A30
                                                                                                                                                                                                                                SHA-512:EA29C0F9B5BDCC37873F7AE73073CD8CFF84764685C6888A264D35D654AD5A6B24993F8B0B88CB43CEDD59ABF87591AC0F915D829F5949AF721061382ED01421
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Preview: regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..,.m................................................................................................................................................................................................................................................................................................................................................(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):36864
                                                                                                                                                                                                                                Entropy (8bit):4.208443372093175
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:/zhdCYMwqh/r3CmC5ftx1PJ4X8FFtr7pBqXieq5QMVyi6a74LXRuzmHjW:kf/yzfoCReI
                                                                                                                                                                                                                                MD5:580DA4A16D4EEEE9725C6DEBF8FB021F
                                                                                                                                                                                                                                SHA1:D121FB158E66331237922491C237BFD209EC7A2F
                                                                                                                                                                                                                                SHA-256:4FA6C26141496B0660848CE64070C9A1835DB5BAF9F1BEDB030879966E180513
                                                                                                                                                                                                                                SHA-512:F7D3A3AF3E30CB8DF4BC7BC777B3E12AE0A0315E1B479F6B284146DAA0027BA45028C6ABC937AD86A79E482315C9A7F7092147B3D6FC10A019DD4EC508667DDB
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Preview: regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..,.m................................................................................................................................................................................................................................................................................................................................................(.HvLE........Y............84.\w....0".I{7......... ....... .......P.......0................... ..hbin................p.\..,..........nk,...,.m................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...,.m....... ........................... .......Z.......................Root........lf......Root....nk ...,.m....................}.............. ...............*...............DeviceCensus.......................vk..................

                                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Entropy (8bit):6.685246086092563
                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                File name:duLT5gkRjy.exe
                                                                                                                                                                                                                                File size:1552896
                                                                                                                                                                                                                                MD5:d42456f7afc812628a9ff67d8c9340eb
                                                                                                                                                                                                                                SHA1:30f49d0f3d46cc9ccf8733247a0709555ad2099f
                                                                                                                                                                                                                                SHA256:a5b981c10065983578a2bca4399f901bd5a4e87b4ebe2d05c1f9971fb9fb36ac
                                                                                                                                                                                                                                SHA512:02de7cd71c5155ac5d08f7e432f5f3a138a6800d74479c4696cf877bbcf8fc99bbbf972a50991ca978b5416b89d76b6ab652a9d7315bc61b1baf23aacfdbd755
                                                                                                                                                                                                                                SSDEEP:24576:+CjpXA4U35ozW03XRp/hESVE5uU2xbVN6pZVnoYLRZgUQs8n:rpTJxPNlcPVnoYLRZvz8n
                                                                                                                                                                                                                                File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........@...............-.......+.w.....+.......*.......-.......&.......*.......(......./......./.7.....*.......+....................

                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                Icon Hash:c8d8d8b6f0f83c58

                                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Entrypoint:0x4e5eb3
                                                                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                                                                                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                                                                                                Time Stamp:0x619F64CF [Thu Nov 25 10:26:23 2021 UTC]
                                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                                OS Version Major:6
                                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                                File Version Major:6
                                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                                Subsystem Version Major:6
                                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                                Import Hash:d69e4c13e25f0ad622344ac56118c0df

                                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                                call 00007F77545C60EEh
                                                                                                                                                                                                                                jmp 00007F77545C5AC9h
                                                                                                                                                                                                                                and dword ptr [ecx+04h], 00000000h
                                                                                                                                                                                                                                mov eax, ecx
                                                                                                                                                                                                                                and dword ptr [ecx+08h], 00000000h
                                                                                                                                                                                                                                mov dword ptr [ecx+04h], 00528BCCh
                                                                                                                                                                                                                                mov dword ptr [ecx], 0051A510h
                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                push ebp
                                                                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                                                                sub esp, 0Ch
                                                                                                                                                                                                                                lea ecx, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                                call 00007F77545C5C2Fh
                                                                                                                                                                                                                                push 00543C5Ch
                                                                                                                                                                                                                                lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                                push eax
                                                                                                                                                                                                                                call 00007F77545C7AD3h
                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                push ebp
                                                                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                                                                sub esp, 0Ch
                                                                                                                                                                                                                                lea ecx, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                                call 00007F7754575B75h
                                                                                                                                                                                                                                push 0053FF54h
                                                                                                                                                                                                                                lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                                push eax
                                                                                                                                                                                                                                call 00007F77545C7AB6h
                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                push 004E9EA0h
                                                                                                                                                                                                                                push dword ptr fs:[00000000h]
                                                                                                                                                                                                                                mov eax, dword ptr [esp+10h]
                                                                                                                                                                                                                                mov dword ptr [esp+10h], ebp
                                                                                                                                                                                                                                lea ebp, dword ptr [esp+10h]
                                                                                                                                                                                                                                sub esp, eax
                                                                                                                                                                                                                                push ebx
                                                                                                                                                                                                                                push esi
                                                                                                                                                                                                                                push edi
                                                                                                                                                                                                                                mov eax, dword ptr [00546944h]
                                                                                                                                                                                                                                xor dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                xor eax, ebp
                                                                                                                                                                                                                                push eax
                                                                                                                                                                                                                                mov dword ptr [ebp-18h], esp
                                                                                                                                                                                                                                push dword ptr [ebp-08h]
                                                                                                                                                                                                                                mov eax, dword ptr [ebp-04h]
                                                                                                                                                                                                                                mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                                                                                mov dword ptr [ebp-08h], eax
                                                                                                                                                                                                                                lea eax, dword ptr [ebp-10h]
                                                                                                                                                                                                                                mov dword ptr fs:[00000000h], eax
                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                push ebp
                                                                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                                                                and dword ptr [0054C488h], 00000000h
                                                                                                                                                                                                                                sub esp, 24h
                                                                                                                                                                                                                                or dword ptr [00546960h], 01h
                                                                                                                                                                                                                                push 0000000Ah
                                                                                                                                                                                                                                call dword ptr [0051A1D4h]
                                                                                                                                                                                                                                test eax, eax
                                                                                                                                                                                                                                je 00007F77545C5DFFh

                                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1445f40xa0.rdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x14f0000x2c550.rsrc
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x17c0000x8098.reloc
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x13d9100x38.rdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x13da400x18.rdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x13d9480x40.rdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x11a0000x30c.rdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                .text0x10000x1122a10x112400False0.505059964676data6.55728577412IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .ogtrfyj0x1140000x580a0x5a00False0.466579861111data5.981573238IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .rdata0x11a0000x2b7b20x2b800False0.447607983118data5.81232244285IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .data0x1460000x77a40x2e00False0.252802309783data3.89020136245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .ogtrfyj0x14e0000x500x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .rsrc0x14f0000x2c5500x2c600False0.68740096831data6.50827273455IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .reloc0x17c0000x80980x8200False0.705498798077data6.64096530369IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                Resources

                                                                                                                                                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                                                                                                                                                ZIP0x16f1000xc2ceZip archive data, at least v1.0 to extractChineseChina
                                                                                                                                                                                                                                RT_ICON0x14f3600x668dataChineseChina
                                                                                                                                                                                                                                RT_ICON0x14f9c80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2541320505, next used block 1153431ChineseChina
                                                                                                                                                                                                                                RT_ICON0x14fcb00x128GLS_BINARY_LSB_FIRSTChineseChina
                                                                                                                                                                                                                                RT_ICON0x14fdd80xea8dataChineseChina
                                                                                                                                                                                                                                RT_ICON0x150c800x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15757402, next used block 15166820ChineseChina
                                                                                                                                                                                                                                RT_ICON0x1515280x568GLS_BINARY_LSB_FIRSTChineseChina
                                                                                                                                                                                                                                RT_ICON0x151a900x9160PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedChineseChina
                                                                                                                                                                                                                                RT_ICON0x15abf00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0ChineseChina
                                                                                                                                                                                                                                RT_ICON0x16b4180x25a8dataChineseChina
                                                                                                                                                                                                                                RT_ICON0x16d9c00x10a8dataChineseChina
                                                                                                                                                                                                                                RT_ICON0x16ea680x468GLS_BINARY_LSB_FIRSTChineseChina
                                                                                                                                                                                                                                RT_GROUP_ICON0x16eed00xa0dataChineseChina
                                                                                                                                                                                                                                RT_VERSION0x16ef700x18cPGP symmetric key encrypted data - Plaintext or unencrypted dataChineseChina
                                                                                                                                                                                                                                RT_MANIFEST0x17b3d00x17dXML 1.0 document textEnglishUnited States

                                                                                                                                                                                                                                Imports

                                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                                KERNEL32.dllGetComputerNameW, GetModuleFileNameA, GetCurrentProcessId, OpenProcess, GetModuleFileNameW, SetLastError, WaitForSingleObject, CreateEventW, FreeLibrary, WinExec, GetPrivateProfileStringW, CopyFileW, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, LocalFree, LocalAlloc, LoadResource, FindResourceW, SizeofResource, LockResource, GetTickCount, GetCurrentThread, Sleep, GetProcessHeap, HeapAlloc, GetLastError, GetTempPathA, SetCurrentDirectoryW, GetShortPathNameA, LoadLibraryW, GetProcAddress, WideCharToMultiByte, MultiByteToWideChar, SystemTimeToFileTime, DosDateTimeToFileTime, GetCurrentProcess, DuplicateHandle, CloseHandle, WriteFile, SetFileTime, SetFilePointer, ReadFile, GetFileType, CreateFileW, CreateDirectoryW, TerminateProcess, GetCurrentDirectoryW, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, GetTimeZoneInformation, GetFileSizeEx, GetConsoleOutputCP, SetFilePointerEx, ReadConsoleW, GetConsoleMode, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetCommandLineW, GetCommandLineA, GetStdHandle, ExitProcess, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlUnwind, RaiseException, GetStringTypeW, WriteConsoleW, GetCPInfo, CompareStringEx, LCMapStringEx, DecodePointer, EncodePointer, InitializeCriticalSectionEx, InitializeSListHead, GetStartupInfoW, IsDebuggerPresent, GetModuleHandleW, ResetEvent, SetEvent, InitializeCriticalSectionAndSpinCount, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FlushFileBuffers, QueryPerformanceCounter, MapViewOfFile, CreateFileMappingW, AreFileApisANSI, TryEnterCriticalSection, HeapCreate, HeapFree, EnterCriticalSection, GetFullPathNameW, GetDiskFreeSpaceW, OutputDebugStringA, LockFile, LeaveCriticalSection, InitializeCriticalSection, GetFullPathNameA, SetEndOfFile, UnlockFileEx, GetTempPathW, CreateMutexW, GetFileAttributesW, GetCurrentThreadId, UnmapViewOfFile, HeapValidate, HeapSize, FormatMessageW, GetDiskFreeSpaceA, GetFileAttributesA, GetFileAttributesExW, OutputDebugStringW, FlushViewOfFile, CreateFileA, LoadLibraryA, WaitForSingleObjectEx, DeleteFileA, DeleteFileW, HeapReAlloc, GetSystemInfo, HeapCompact, HeapDestroy, UnlockFile, LockFileEx, GetFileSize, DeleteCriticalSection, GetSystemTimeAsFileTime, GetSystemTime, FormatMessageA
                                                                                                                                                                                                                                ADVAPI32.dllLookupPrivilegeValueW, AdjustTokenPrivileges, LookupAccountNameW, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, IsValidSecurityDescriptor, InitializeSecurityDescriptor, InitializeAcl, GetTokenInformation, GetLengthSid, FreeSid, EqualSid, DuplicateToken, AllocateAndInitializeSid, AddAccessAllowedAce, AccessCheck, OpenThreadToken, OpenProcessToken
                                                                                                                                                                                                                                SHELL32.dllShellExecuteExA
                                                                                                                                                                                                                                ole32.dllCoInitializeEx, CoGetObject, CoUninitialize
                                                                                                                                                                                                                                WININET.dllInternetGetCookieExA
                                                                                                                                                                                                                                NETAPI32.dllNetbios
                                                                                                                                                                                                                                ntdll.dllRtlInitUnicodeString, NtFreeVirtualMemory, LdrEnumerateLoadedModules, RtlEqualUnicodeString, RtlAcquirePebLock, NtAllocateVirtualMemory, RtlReleasePebLock, RtlNtStatusToDosError, RtlCreateHeap, RtlDestroyHeap, RtlAllocateHeap, RtlFreeHeap, NtClose, NtOpenKey, NtEnumerateValueKey, NtQueryValueKey

                                                                                                                                                                                                                                Version Infos

                                                                                                                                                                                                                                DescriptionData
                                                                                                                                                                                                                                LegalCopyrightCopyright (C) 2019
                                                                                                                                                                                                                                FileVersion1.0.0.1
                                                                                                                                                                                                                                ProductVersion1.0.0.1
                                                                                                                                                                                                                                Translation0x0409 0x04b0

                                                                                                                                                                                                                                Possible Origin

                                                                                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                ChineseChina
                                                                                                                                                                                                                                EnglishUnited States

                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                Nov 25, 2021 18:31:12.532079935 CET49742443192.168.2.3149.28.253.196
                                                                                                                                                                                                                                Nov 25, 2021 18:31:12.532138109 CET44349742149.28.253.196192.168.2.3
                                                                                                                                                                                                                                Nov 25, 2021 18:31:12.532258034 CET49742443192.168.2.3149.28.253.196
                                                                                                                                                                                                                                Nov 25, 2021 18:31:12.551681042 CET49742443192.168.2.3149.28.253.196
                                                                                                                                                                                                                                Nov 25, 2021 18:31:12.551717043 CET44349742149.28.253.196192.168.2.3
                                                                                                                                                                                                                                Nov 25, 2021 18:31:12.967639923 CET44349742149.28.253.196192.168.2.3
                                                                                                                                                                                                                                Nov 25, 2021 18:31:12.967834949 CET49742443192.168.2.3149.28.253.196
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.236102104 CET49742443192.168.2.3149.28.253.196
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.236160040 CET44349742149.28.253.196192.168.2.3
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.236682892 CET44349742149.28.253.196192.168.2.3
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.236828089 CET49742443192.168.2.3149.28.253.196
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.240427971 CET49742443192.168.2.3149.28.253.196
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.280915976 CET44349742149.28.253.196192.168.2.3
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.744211912 CET44349742149.28.253.196192.168.2.3
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.744285107 CET44349742149.28.253.196192.168.2.3
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.744432926 CET49742443192.168.2.3149.28.253.196
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.744487047 CET49742443192.168.2.3149.28.253.196
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.745064020 CET49742443192.168.2.3149.28.253.196
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.745085955 CET44349742149.28.253.196192.168.2.3
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.831502914 CET49743443192.168.2.35.9.162.45
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.831552982 CET443497435.9.162.45192.168.2.3
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.831710100 CET49743443192.168.2.35.9.162.45
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.833194017 CET49743443192.168.2.35.9.162.45
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.833240032 CET443497435.9.162.45192.168.2.3
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.926969051 CET443497435.9.162.45192.168.2.3
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.927119970 CET49743443192.168.2.35.9.162.45
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.935358047 CET49743443192.168.2.35.9.162.45
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.935394049 CET443497435.9.162.45192.168.2.3
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.935803890 CET443497435.9.162.45192.168.2.3
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.935878992 CET49743443192.168.2.35.9.162.45
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.936772108 CET49743443192.168.2.35.9.162.45
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.971000910 CET443497435.9.162.45192.168.2.3
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.971102953 CET443497435.9.162.45192.168.2.3
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.971105099 CET49743443192.168.2.35.9.162.45
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.971182108 CET49743443192.168.2.35.9.162.45
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.995783091 CET49743443192.168.2.35.9.162.45
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.995820045 CET443497435.9.162.45192.168.2.3

                                                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                Nov 25, 2021 18:31:12.471581936 CET5804553192.168.2.38.8.8.8
                                                                                                                                                                                                                                Nov 25, 2021 18:31:12.510402918 CET53580458.8.8.8192.168.2.3
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.787858963 CET5745953192.168.2.38.8.8.8
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.825834036 CET53574598.8.8.8192.168.2.3

                                                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                                                Nov 25, 2021 18:31:12.471581936 CET192.168.2.38.8.8.80x9a8bStandard query (0)www.listincode.comA (IP address)IN (0x0001)
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.787858963 CET192.168.2.38.8.8.80x7bcfStandard query (0)iplogger.orgA (IP address)IN (0x0001)

                                                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                                                Nov 25, 2021 18:31:12.510402918 CET8.8.8.8192.168.2.30x9a8bNo error (0)www.listincode.com149.28.253.196A (IP address)IN (0x0001)
                                                                                                                                                                                                                                Nov 25, 2021 18:31:13.825834036 CET8.8.8.8192.168.2.30x7bcfNo error (0)iplogger.org5.9.162.45A (IP address)IN (0x0001)

                                                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                                                • www.listincode.com
                                                                                                                                                                                                                                • iplogger.org

                                                                                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                                0192.168.2.349742149.28.253.196443C:\Users\user\Desktop\duLT5gkRjy.exe
                                                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                                2021-11-25 17:31:13 UTC0OUTGET / HTTP/1.1
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
                                                                                                                                                                                                                                Host: www.listincode.com
                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                2021-11-25 17:31:13 UTC0INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                Date: Thu, 25 Nov 2021 17:31:13 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                Content-Length: 2
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                X-Powered-By: PHP/5.6.40
                                                                                                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                2021-11-25 17:31:13 UTC0INData Raw: 47 42
                                                                                                                                                                                                                                Data Ascii: GB


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                                1192.168.2.3497435.9.162.45443C:\Users\user\Desktop\duLT5gkRjy.exe
                                                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                                2021-11-25 17:31:13 UTC0OUTGET /1GWfv7 HTTP/1.1
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
                                                                                                                                                                                                                                Host: iplogger.org
                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                2021-11-25 17:31:13 UTC0INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                Date: Thu, 25 Nov 2021 17:31:13 GMT
                                                                                                                                                                                                                                Content-Type: image/png
                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                Set-Cookie: clhf03028ja=84.17.52.63; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=241186718; path=/
                                                                                                                                                                                                                                Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                Expires: Thu, 25 Nov 2021 17:31:13 +0000
                                                                                                                                                                                                                                Answers:
                                                                                                                                                                                                                                whoami: dd7a5982e8b1de9b0cc7da7fe0ec7879c44089276a00308f59743c09424407f5
                                                                                                                                                                                                                                Strict-Transport-Security: max-age=31536000; preload
                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                2021-11-25 17:31:13 UTC1INData Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                                                                Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`0


                                                                                                                                                                                                                                Code Manipulations

                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Start time:18:31:11
                                                                                                                                                                                                                                Start date:25/11/2021
                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\duLT5gkRjy.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\duLT5gkRjy.exe"
                                                                                                                                                                                                                                Imagebase:0xf40000
                                                                                                                                                                                                                                File size:1552896 bytes
                                                                                                                                                                                                                                MD5 hash:D42456F7AFC812628A9FF67D8C9340EB
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000000.00000000.305417578.000000000105A000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000000.00000000.306515847.000000000105A000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000000.00000000.298952440.000000000105A000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Reputation:low

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Start time:18:31:15
                                                                                                                                                                                                                                Start date:25/11/2021
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1116
                                                                                                                                                                                                                                Imagebase:0xbf0000
                                                                                                                                                                                                                                File size:434592 bytes
                                                                                                                                                                                                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high

                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                Code Analysis

                                                                                                                                                                                                                                Reset < >