Play interactive tour

Edit tour

Windows Analysis Report 0Jk67LObin

Overview

General Information

Sample Name:	0Jk67LObin (renamed file extension from none to exe)
Analysis ID:	541178
MD5:	bb9e3c71b3ee3279632905f905ac21c4
SHA1:	a2b1d81ec6a21b52f555f5ec7e9cf9a73f937971
SHA256:	2f60704e2dac47d532955485a04c195dffa41f9e638527ac42c82a224b2202ea
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Jester Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Jester Stealer

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Found Tor onion address

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory in foreign processes

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

.NET source code contains very large array initializations

Tries to harvest and steal Bitcoin Wallet information

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Queries information about the installed CPU (vendor, model number etc)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Checks if the current process is being debugged

Binary contains a suspicious time stamp

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

0Jk67LObin.exe (PID: 6212 cmdline: "C:\Users\user\Desktop\0Jk67LObin.exe" MD5: BB9E3C71B3EE3279632905F905AC21C4)

dfsvc.exe (PID: 6664 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe MD5: 48FD4DD682051712E3E7757C525DED71)

aspnet_regsql.exe (PID: 6732 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe MD5: DC0A2353DC4A9CDCF7B0F959DA258B4E)

WerFault.exe (PID: 5672 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 1368 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: JesterStealer

{"Mutex": "efbb42d7-d0db-4f16-a194-3d9d9d1fc654", "C2 url": "http://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/ads555man"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.658704616.0000000000402000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.672373133.0000000004480000.00000004.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.668116597.0000000000402000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.704657920.0000000000402000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.659697803.0000000000402000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.659380466.0000000000402000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.659070021.0000000000402000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 0Jk67LObin.exe PID: 6212	JoeSecurity_JesterStealer	Yara detected Jester Stealer	Joe Security
Process Memory Space: 0Jk67LObin.exe PID: 6212	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regsql.exe PID: 6732	JoeSecurity_JesterStealer	Yara detected Jester Stealer	Joe Security
Process Memory Space: aspnet_regsql.exe PID: 6732	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: WerFault.exe PID: 5672	JoeSecurity_JesterStealer	Yara detected Jester Stealer	Joe Security
Process Memory Space: WerFault.exe PID: 5672	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.0Jk67LObin.exe.3537fd0.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.aspnet_regsql.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0Jk67LObin.exe.4480000.13.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.aspnet_regsql.exe.400000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0Jk67LObin.exe.3537fd0.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0Jk67LObin.exe.5e10000.20.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.aspnet_regsql.exe.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0Jk67LObin.exe.5e10000.20.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.aspnet_regsql.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.aspnet_regsql.exe.400000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.aspnet_regsql.exe.400000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0Jk67LObin.exe.3517fb0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0Jk67LObin.exe.4480000.13.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.aspnet_regsql.exe.400000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.aspnet_regsql.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 10 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.0Jk67LObin.exe.5e10000.20.raw.unpack

Malware Configuration Extractor: JesterStealer {"Mutex": "efbb42d7-d0db-4f16-a194-3d9d9d1fc654", "C2 url": "http://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/ads555man"}

Multi AV Scanner detection for submitted file

Show sources

Source: 0Jk67LObin.exe

Virustotal: Detection: 23%

Perma Link

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Code function: 4_2_05FF1718 CryptUnprotectData,		4_2_05FF1718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Code function: 4_2_05FF2520 CryptUnprotectData,		4_2_05FF2520

Source: 0Jk67LObin.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: anagement.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: onfiguration.ni.pdb" source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.679761108.00000000035EA000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679459993.00000000035EA000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679385898.00000000035C0000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679938926.00000000035EC000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679822056.00000000035EA000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679834510.00000000035C0000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.690590962.0000000005AF7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690675616.0000000005AF7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690467733.0000000005AF7000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdbc source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: ore.ni.pdb" source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.679373571.00000000035B4000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000009.00000003.690654909.0000000005AF0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.690640649.0000000005930000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdbR) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: RSAdows\mscorlib.pdb source: aspnet_regsql.exe, 00000004.00000000.668595799.0000000000CD3000.00000004.00000020.sdmp, aspnet_regsql.exe, 00000004.00000002.705294557.0000000000CD3000.00000004.00000020.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.679840119.00000000035C6000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679393148.00000000035C6000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679911809.00000000035C6000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Build.Tasks/Release/net472/Microsoft.Build.Tasks.Core.pdbSHA256 source: 0Jk67LObin.exe
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdbl) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
Source:	Binary string: aspnet_regsql.pdb source: 0Jk67LObin.exe, 00000000.00000002.672466502.00000000044F0000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672074305.00000000035B2000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: ecurity.pdbn source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: b.pdb=p source: aspnet_regsql.exe, 00000004.00000000.671929213.0000000005D6A000.00000004.00000010.sdmp, aspnet_regsql.exe, 00000004.00000002.707701555.0000000005D6A000.00000004.00000010.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.690590962.0000000005AF7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690675616.0000000005AF7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690467733.0000000005AF7000.00000004.00000040.sdmp
Source:	Binary string: aspnet_regsql.pdbP source: 0Jk67LObin.exe, 00000000.00000002.672466502.00000000044F0000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672074305.00000000035B2000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERB49.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdbWjj source: WERB49.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: dfsvc.pdb source: 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp
Source:	Binary string: clrcompression.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\aspnet_regsql.pdb5 source: aspnet_regsql.exe, 00000004.00000000.668595799.0000000000CD3000.00000004.00000020.sdmp, aspnet_regsql.exe, 00000004.00000002.705294557.0000000000CD3000.00000004.00000020.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: dpapi.pdbp) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.679385898.00000000035C0000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679834510.00000000035C0000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WERB49.tmp.dmp.9.dr
Source:	Binary string: .winmd.exe.pdb.xml.pri-TargetFrameworkSubsets;InstalledAssemblySubsetTables7FullFrameworkAssemblyTables=FullTargetFrameworkSubsetNames source: 0Jk67LObin.exe
Source:	Binary string: dpapi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: System.pdbP>Q source: WERB49.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdbRSDS source: WERB49.tmp.dmp.9.dr
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WERB49.tmp.dmp.9.dr
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: ml.ni.pdb" source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: rawing.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: System.Security.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: .pdb* source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: vaultcli.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.690654909.0000000005AF0000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbSystem.Management.dll source: WERB49.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: vaultcli.pdbj) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.690654909.0000000005AF0000.00000004.00000040.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Build.Tasks/Release/net472/Microsoft.Build.Tasks.Core.pdb source: 0Jk67LObin.exe
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdbT) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: dfsvc.pdbD.^. P._CorExeMainmscoree.dll source: 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb~) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb% source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.679373571.00000000035B4000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.690654909.0000000005AF0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERB49.tmp.dmp.9.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb@) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdbX) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: ecurity.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.690654909.0000000005AF0000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.679840119.00000000035C6000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679393148.00000000035C6000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679911809.00000000035C6000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: clrcompression.pdb_ source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdbN) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: System.Security.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdbf) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp

Networking:

Found Tor onion address

Show sources

Source: aspnet_regsql.exe, 00000004.00000000.672993382.0000000002851000.00000004.00000001.sdmp

String found in binary or memory: mVhttp://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/ads555man

May check the online IP address of the machine

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe

DNS query: name: ip-api.com

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/ads555man

Source: global traffic

HTTP traffic detected: GET /json?fields=query HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: .facebook.comGhttps://www.facebook.com/adsmanager equals www.facebook.com (Facebook)
Source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: .youtube.comShttps://www.youtube.com/channel/{0}/about equals www.youtube.com (Youtube)
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	String found in binary or memory: m9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmp	String found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"DivX Web Player","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"Facebook Video","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"Chrome PDF Viewer","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"Chrome PDF Plugin","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"Google Earth","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"Google Talk","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"IBMJava*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j

Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: aspnet_regsql.exe, 00000004.00000000.673253442.000000000295E000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.671191514.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com
Source: aspnet_regsql.exe, 00000004.00000000.671191514.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/json?fields=T
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672993382.0000000002851000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.671191514.0000000002950000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/json?fields=query
Source: aspnet_regsql.exe, 00000004.00000000.672993382.0000000002851000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com4Tl
Source: aspnet_regsql.exe, 00000004.00000000.672993382.0000000002851000.00000004.00000001.sdmp	String found in binary or memory: http://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/ads555man
Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: aspnet_regsql.exe, 00000004.00000000.672993382.0000000002851000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706449702.000000000292C000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 0Jk67LObin.exe	String found in binary or memory: https://aka.ms/msbuild/MSB4803
Source: 0Jk67LObin.exe	String found in binary or memory: https://aka.ms/msbuild/developerpacks
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: https://api.blockcypher.com/v1/dash/main/addrs/
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: https://api.github.com/users/
Source: aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: https://chain.api.btc.com/v3/address/
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/api/v2/get_address_balance/LTC/
Source: 0Jk67LObin.exe	String found in binary or memory: https://code.visualstudio.com/0
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: https://discordapp.com/api/v6/users/
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: https://dogechain.info/api/v1/address/balance/
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: https://dogechain.info/api/v1/address/balance/ahttps://chain.so/api/v2/get_address_balance/LTC/#conf
Source: aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabu
Source: aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabush
Source: aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/L1ghtM4n/TorProxy/blob/main/LIB/Tor.zip?raw=true
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/graphql/query/?query_hash=
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: https://lookup.binlist.net/
Source: aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: https://store.steampowered.com/account
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: https://www.epicgames.com/account/transactions
Source: aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: https://www.paypal.com/myaccount/money
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/channel/

Source: unknown

DNS traffic detected: queries for: 59.60.14.0.in-addr.arpa

Source: global traffic

HTTP traffic detected: GET /json?fields=query HTTP/1.1Host: ip-api.comConnection: Keep-Alive

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 0Jk67LObin.exe, C7570F0A2/D7CDC980B.cs

Large array initialization: System.UInt64[] C7570F0A2.D7CDC980B::A9088C219: array initializer size 8704

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 1368

Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_0230B288	0_2_0230B288
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_023093C8	0_2_023093C8
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_02303110	0_2_02303110
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_0230AA80	0_2_0230AA80
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_02302AE8	0_2_02302AE8
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_023089E0	0_2_023089E0
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_0230BDB0	0_2_0230BDB0
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_02309398	0_2_02309398
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_02309EF8	0_2_02309EF8
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_05E091C8	0_2_05E091C8
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_05E032A8	0_2_05E032A8
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_05E03C18	0_2_05E03C18
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_05E0AF70	0_2_05E0AF70
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_05E025E9	0_2_05E025E9
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_05E0332A	0_2_05E0332A
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_05E03298	0_2_05E03298
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_05E03C09	0_2_05E03C09
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_05E0AEF8	0_2_05E0AEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Code function: 4_2_026A8690	4_2_026A8690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Code function: 4_2_026A1778	4_2_026A1778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Code function: 4_2_026AC9A8	4_2_026AC9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Code function: 4_2_026A8F60	4_2_026A8F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Code function: 4_2_026A8348	4_2_026A8348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Code function: 4_2_026A1768	4_2_026A1768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Code function: 4_2_05FF0DD8	4_2_05FF0DD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Code function: 4_2_05FF6900	4_2_05FF6900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Code function: 4_2_05FF6B20	4_2_05FF6B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Code function: 4_2_05FF3A08	4_2_05FF3A08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Code function: 4_2_05FF08D0	4_2_05FF08D0

Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPE_MemoryProtection.exe4 vs 0Jk67LObin.exe
Source: 0Jk67LObin.exe, 00000000.00000002.672664840.0000000004C50000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameAntiDump.dll2 vs 0Jk67LObin.exe
Source: 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameHwxN EPv.exe2 vs 0Jk67LObin.exe
Source: 0Jk67LObin.exe, 00000000.00000002.668078311.00000000024E7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameHwxN EPv.exe2 vs 0Jk67LObin.exe
Source: 0Jk67LObin.exe, 00000000.00000000.649851214.00000000001AC000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAdMunch.exe6 vs 0Jk67LObin.exe
Source: 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameHwxN EPv.exe2 vs 0Jk67LObin.exe
Source: 0Jk67LObin.exe, 00000000.00000002.672466502.00000000044F0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameaspnet_regsql.exeT vs 0Jk67LObin.exe
Source: 0Jk67LObin.exe, 00000000.00000002.672146568.0000000003679000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPE_MemoryProtection.exe4 vs 0Jk67LObin.exe
Source: 0Jk67LObin.exe, 00000000.00000002.672146568.0000000003679000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAntiDump.dll2 vs 0Jk67LObin.exe
Source: 0Jk67LObin.exe, 00000000.00000002.672074305.00000000035B2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameaspnet_regsql.exeT vs 0Jk67LObin.exe
Source: 0Jk67LObin.exe, 00000000.00000002.666959667.0000000000012000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUltimate.dll2 vs 0Jk67LObin.exe
Source: 0Jk67LObin.exe, 00000000.00000002.672290170.0000000003F0D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAntiDump.dll2 vs 0Jk67LObin.exe
Source: 0Jk67LObin.exe, 00000000.00000003.652088687.0000000003F6F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAntiDump.dll2 vs 0Jk67LObin.exe
Source: 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameHwxN EPv.exe2 vs 0Jk67LObin.exe
Source: 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamedfsvc.exeT vs 0Jk67LObin.exe
Source: 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameHwxN EPv.exe2 vs 0Jk67LObin.exe
Source: 0Jk67LObin.exe	Binary or memory string: OriginalFilenameUltimate.dll2 vs 0Jk67LObin.exe
Source: 0Jk67LObin.exe	Binary or memory string: OriginalFilenameAdMunch.exe6 vs 0Jk67LObin.exe

Source: 0Jk67LObin.exe

Static PE information: invalid certificate

Source: 0Jk67LObin.exe

Virustotal: Detection: 23%

Source: 0Jk67LObin.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\0Jk67LObin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0Jk67LObin.exe "C:\Users\user\Desktop\0Jk67LObin.exe"
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process created: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 1368
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process created: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\0Jk67LObin.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0Jk67LObin.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB49.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/7@2/1

Source: 0Jk67LObin.exe, Microsoft.Build.Tasks/D6795E7F8.cs	Task registration methods: 'CreateManifestName'
Source: 0Jk67LObin.exe, Microsoft.Build.Tasks/C8BC1DC04.cs	Task registration methods: 'CreateManifestName'
Source: 0Jk67LObin.exe, Microsoft.Build.Tasks/B7775143B.cs	Task registration methods: 'CreateManifestName'
Source: 0Jk67LObin.exe, Microsoft.Build.Tasks/Deployment.ManifestUtilities/FC23BF4D3.cs	Task registration methods: 'set_CreateDesktopShortcut', 'get_XmlCreateDesktopShortcut', 'set_XmlCreateDesktopShortcut', 'get_CreateDesktopShortcut'
Source: 0Jk67LObin.exe, Microsoft.Build.Tasks/FE165B4BE.cs	Task registration methods: 'set_CreateDesktopShortcut', 'get_CreateDesktopShortcut'
Source: 0Jk67LObin.exe, Microsoft.Build.Tasks/C78F1F52A.cs	Task registration methods: 'get_StronglyTypedResourceSuccessfullyCreated', 'get_UnsuccessfullyCreatedOutFiles'

Source: C:\Users\user\Desktop\0Jk67LObin.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: 4.2.aspnet_regsql.exe.400000.0.unpack, n_4urka/c_DeregisterFromAssembly_mrsegy.cs

Base64 encoded string: 'WfW86nK5ExfnQeMWWE2qCdZzCBl7cG7bFjN4V6SvwGFpVj3zzMeka+DNeW4hGFfzt4wAN7XRBjG7pIY/oq9VJw==', 'hVwhMAQNsUXyljDP71vd98m72GL53YAwGlDjCsssHfNDfkw2BM3ZHfN+iRO2iuNMG5h7s4o49SGOokidda1jDw==', 'zjkXUWzNCbrCuNvyAwk+9UUL/F9+lNCcmZWr0gasSBams001D5NvgW8oCOmaR521', 'ZznELENvuYFvbI+5UX6Zctn8b3gvN4ON8e+aM5VaDwoWiwHrJ7vto3MSjZf+Tt9AjOFIGBzXx+7k8vESsDmPTw=='

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6732
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Mutant created: \Sessions\1\BaseNamedObjects\efbb42d7-d0db-4f16-a194-3d9d9d1fc654

Source: 0Jk67LObin.exe

Binary or memory string: @(AMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln

Source: 0Jk67LObin.exe

String found in binary or memory: ,/InstalledAssemblyTables%FrameworkDirectory9IgnoreInstalledAssemblyTable3AllowedAssemblyExtensions9AllowedRelatedFileExtensions

Source: 0Jk67LObin.exe, C7570F0A2/D28055528.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.aspnet_regsql.exe.400000.0.unpack, n_Hoxol/c_u003cAwakeu003eb__12_0_riqjth.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 4.2.aspnet_regsql.exe.400000.0.unpack, n_rukoblyd/c_Reload_hxtwvx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\0Jk67LObin.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 0Jk67LObin.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 0Jk67LObin.exe

Static file information: File size 1745272 > 1048576

Source: 0Jk67LObin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 0Jk67LObin.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x198a00

Source: 0Jk67LObin.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: 0Jk67LObin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: anagement.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: onfiguration.ni.pdb" source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.679761108.00000000035EA000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679459993.00000000035EA000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679385898.00000000035C0000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679938926.00000000035EC000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679822056.00000000035EA000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679834510.00000000035C0000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.690590962.0000000005AF7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690675616.0000000005AF7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690467733.0000000005AF7000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdbc source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: ore.ni.pdb" source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.679373571.00000000035B4000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000009.00000003.690654909.0000000005AF0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.690640649.0000000005930000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdbR) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: RSAdows\mscorlib.pdb source: aspnet_regsql.exe, 00000004.00000000.668595799.0000000000CD3000.00000004.00000020.sdmp, aspnet_regsql.exe, 00000004.00000002.705294557.0000000000CD3000.00000004.00000020.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.679840119.00000000035C6000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679393148.00000000035C6000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679911809.00000000035C6000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Build.Tasks/Release/net472/Microsoft.Build.Tasks.Core.pdbSHA256 source: 0Jk67LObin.exe
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdbl) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
Source:	Binary string: aspnet_regsql.pdb source: 0Jk67LObin.exe, 00000000.00000002.672466502.00000000044F0000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672074305.00000000035B2000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: ecurity.pdbn source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: b.pdb=p source: aspnet_regsql.exe, 00000004.00000000.671929213.0000000005D6A000.00000004.00000010.sdmp, aspnet_regsql.exe, 00000004.00000002.707701555.0000000005D6A000.00000004.00000010.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.690590962.0000000005AF7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690675616.0000000005AF7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690467733.0000000005AF7000.00000004.00000040.sdmp
Source:	Binary string: aspnet_regsql.pdbP source: 0Jk67LObin.exe, 00000000.00000002.672466502.00000000044F0000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672074305.00000000035B2000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERB49.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdbWjj source: WERB49.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: dfsvc.pdb source: 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp
Source:	Binary string: clrcompression.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\aspnet_regsql.pdb5 source: aspnet_regsql.exe, 00000004.00000000.668595799.0000000000CD3000.00000004.00000020.sdmp, aspnet_regsql.exe, 00000004.00000002.705294557.0000000000CD3000.00000004.00000020.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: dpapi.pdbp) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.679385898.00000000035C0000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679834510.00000000035C0000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WERB49.tmp.dmp.9.dr
Source:	Binary string: .winmd.exe.pdb.xml.pri-TargetFrameworkSubsets;InstalledAssemblySubsetTables7FullFrameworkAssemblyTables=FullTargetFrameworkSubsetNames source: 0Jk67LObin.exe
Source:	Binary string: dpapi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: System.pdbP>Q source: WERB49.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdbRSDS source: WERB49.tmp.dmp.9.dr
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WERB49.tmp.dmp.9.dr
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: ml.ni.pdb" source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: rawing.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: System.Security.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: .pdb* source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: vaultcli.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.690654909.0000000005AF0000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbSystem.Management.dll source: WERB49.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: vaultcli.pdbj) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.690654909.0000000005AF0000.00000004.00000040.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Build.Tasks/Release/net472/Microsoft.Build.Tasks.Core.pdb source: 0Jk67LObin.exe
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdbT) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: dfsvc.pdbD.^. P._CorExeMainmscoree.dll source: 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb~) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb% source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.679373571.00000000035B4000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.690654909.0000000005AF0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERB49.tmp.dmp.9.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb@) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdbX) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: ecurity.pdb source: WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.690654909.0000000005AF0000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.679840119.00000000035C6000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679393148.00000000035C6000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.679911809.00000000035C6000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.690487795.0000000005941000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000009.00000003.690423417.0000000005AF2000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: clrcompression.pdb_ source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.690606290.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690712168.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690476479.0000000005AFA000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690436503.0000000005AFA000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdbN) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.690517630.0000000005B0B000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp, WERB49.tmp.dmp.9.dr
Source:	Binary string: System.Security.pdbx source: WerFault.exe, 00000009.00000002.704388608.0000000006160000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdbf) source: WerFault.exe, 00000009.00000003.690395557.0000000005AFE000.00000004.00000040.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 0Jk67LObin.exe, Microsoft.Build.Tasks/DB856415B.cs

.Net Code: D944AA25A System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_001071D3 pushad ; retf 0002h	0_2_00107AD9
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_023006D1 push eax; mov dword ptr [esp], ecx	0_2_023006D4
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_0230C198 push esp; ret	0_2_0230C199
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_05E0F402 push E801005Eh; ret	0_2_05E0F409
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_05E04004 push E801EA5Eh; ret	0_2_05E04009
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Code function: 0_2_05E05D02 push E802005Eh; ret	0_2_05E05D09

Source: 0Jk67LObin.exe

Static PE information: real checksum: 0x1ab6aa should be: 0x1ae468

Source: 0Jk67LObin.exe

Static PE information: 0xA4785B1C [Sat Jun 9 22:24:28 2057 UTC]

Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: aspnet_regsql.exe, 00000004.00000000.672993382.0000000002851000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706449702.000000000292C000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL@
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Size FROM Win32_LogicalDisk WHERE DriveType = 3

Source: C:\Users\user\Desktop\0Jk67LObin.exe TID: 1260

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\0Jk67LObin.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select TotalPhysicalMemory From Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Model from Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer from Win32_ComputerSystem

Source: C:\Users\user\Desktop\0Jk67LObin.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0Jk67LObin.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: 0Jk67LObin.exe, 00000000.00000002.672146568.0000000003679000.00000004.00000001.sdmp	Binary or memory string: WWW /c Microsoft-Hyper-V-Common-Drivers-Package
Source: Amcache.hve.9.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: aspnet_regsql.exe, 00000004.00000000.668595799.0000000000CD3000.00000004.00000020.sdmp, aspnet_regsql.exe, 00000004.00000002.705294557.0000000000CD3000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000009.00000002.704063527.00000000053C0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.me
Source: WerFault.exe, 00000009.00000002.704092168.00000000053F6000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWI
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\0Jk67LObin.exe

Code function: 0_2_02300748 LdrInitializeThunk,

0_2_02300748

Source: C:\Users\user\Desktop\0Jk67LObin.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\0Jk67LObin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe base: 43C000	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe base: 683008	Jump to behavior

.NET source code references suspicious native API functions

Show sources

Source: 0Jk67LObin.exe, Microsoft.Build.Tasks/Deployment.ManifestUtilities/D5A596910.cs	Reference to suspicious API methods: ('F7611EFBB', 'FindResource@Kernel32.dll'), ('A24CAA851', 'LoadLibraryExW@Kernel32.dll')
Source: 0Jk67LObin.exe, Microsoft.Build.Shared/DB8ED9458.cs	Reference to suspicious API methods: ('CB317ECD5', 'LoadLibrary@kernel32.dll'), ('A734F6700', 'GetProcAddress@kernel32.dll'), ('A407BAE71', 'OpenProcess@KERNEL32.DLL')

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\0Jk67LObin.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\0Jk67LObin.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process created: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe			Jump to behavior

Source: aspnet_regsql.exe, 00000004.00000000.672800235.0000000001130000.00000002.00020000.sdmp, aspnet_regsql.exe, 00000004.00000000.668949839.0000000001130000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: aspnet_regsql.exe, 00000004.00000000.672800235.0000000001130000.00000002.00020000.sdmp, aspnet_regsql.exe, 00000004.00000000.668949839.0000000001130000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: aspnet_regsql.exe, 00000004.00000000.672800235.0000000001130000.00000002.00020000.sdmp, aspnet_regsql.exe, 00000004.00000000.668949839.0000000001130000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: aspnet_regsql.exe, 00000004.00000000.672800235.0000000001130000.00000002.00020000.sdmp, aspnet_regsql.exe, 00000004.00000000.668949839.0000000001130000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\0Jk67LObin.exe	Queries volume information: C:\Users\user\Desktop\0Jk67LObin.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Jk67LObin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\0Jk67LObin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.9.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

Yara detected Jester Stealer

Show sources

Source: Yara match	File source: Process Memory Space: 0Jk67LObin.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regsql.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 5672, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal Bitcoin Wallet information

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt			Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp	String found in binary or memory: electrum
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp	String found in binary or memory: [Jaxx] {0}
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp	String found in binary or memory: exodus.wallet!exodus.conf.json
Source: aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmp	String found in binary or memory: m4C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	String found in binary or memory: m9C:\Users\user\AppData\Roaming\Jaxx\Local Storage\lex
Source: 0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp	String found in binary or memory: [Exodus] {0}
Source: aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmp	String found in binary or memory: mDC:\Users\user\AppData\Roaming\Exodus\exodus.wallet\exodus.conf.json
Source: 0Jk67LObin.exe	String found in binary or memory: get_MachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match	File source: 0.2.0Jk67LObin.exe.3537fd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.aspnet_regsql.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0Jk67LObin.exe.4480000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.aspnet_regsql.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0Jk67LObin.exe.3537fd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0Jk67LObin.exe.5e10000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.aspnet_regsql.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0Jk67LObin.exe.5e10000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_regsql.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.aspnet_regsql.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.aspnet_regsql.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0Jk67LObin.exe.3517fb0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0Jk67LObin.exe.4480000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.aspnet_regsql.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.aspnet_regsql.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.658704616.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.672373133.0000000004480000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.668116597.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.704657920.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.659697803.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.659380466.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.659070021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0Jk67LObin.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regsql.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 5672, type: MEMORYSTR

Remote Access Functionality:

Yara detected Jester Stealer

Show sources

Source: Yara match	File source: Process Memory Space: 0Jk67LObin.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regsql.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 5672, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation121	Scheduled Task/Job1	Process Injection312	Disable or Modify Tools1	OS Credential Dumping1	System Information Discovery34	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Deobfuscate/Decode Files or Information1	Credentials in Registry1	Security Software Discovery241	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter2	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information11	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Scheduled Task/Job1	Logon Script (Mac)	Logon Script (Mac)	Software Packing1	NTDS	Virtualization/Sandbox Evasion51	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Timestomp1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Proxy1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	System Network Configuration Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion51	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection312	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0Jk67LObin.exe	23%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://api.anonfiles.com/upload	0%	Virustotal		Browse
https://api.anonfiles.com/upload	0%	Avira URL Cloud	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://ip-api.com4Tl	0%	Avira URL Cloud	safe
http://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/ads555man	0%	Avira URL Cloud	safe
http://127.0.0.1:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high
59.60.14.0.in-addr.arpa	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/json?fields=query	false		high
http://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/ads555man	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.github.com/users/	0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false		high
https://store.steampowered.com/account	0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false		high
https://www.youtube.com/channel/	0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	false		high
https://chain.so/api/v2/get_address_balance/LTC/	0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/chrome_newtab	aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmp	false		high
https://code.visualstudio.com/0	0Jk67LObin.exe	false		high
https://duckduckgo.com/ac/?q=	aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/chrome_newtabush	aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_wmp	aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	false		high
https://lookup.binlist.net/	0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/answer/6258784	aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmp	false		high
https://discordapp.com/api/v6/users/	0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false		high
http://ip-api.com/json?fields=T	aspnet_regsql.exe, 00000004.00000000.671191514.0000000002950000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_flash	aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_java	aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	false		high
https://github.com/L1ghtM4n/TorProxy/blob/main/LIB/Tor.zip?raw=true	0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false		high
https://www.paypal.com/myaccount/money	0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_real	aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	false		high
https://dogechain.info/api/v1/address/balance/ahttps://chain.so/api/v2/get_address_balance/LTC/#conf	0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	false		high
https://api.anonfiles.com/upload	0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	false		high
https://www.epicgames.com/account/transactions	0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false		high
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_pdf	aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	false		high
http://ip-api.com	aspnet_regsql.exe, 00000004.00000000.673253442.000000000295E000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.671191514.0000000002950000.00000004.00000001.sdmp	false		high
https://steamcommunity.com/profiles/	0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_divx	aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmp	false		high
http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl	aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmp	false		high
https://aka.ms/msbuild/developerpacks	0Jk67LObin.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	aspnet_regsql.exe, 00000004.00000000.672993382.0000000002851000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706449702.000000000292C000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	false		high
http://forms.real.com/real/realone/download.html?type=rpsp_us	aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	false		high
http://ip-api.com4Tl	aspnet_regsql.exe, 00000004.00000000.672993382.0000000002851000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/msbuild/MSB4803	0Jk67LObin.exe	false		high
http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe	aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_quicktime	aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmp	false		high
http://upx.sf.net	Amcache.hve.9.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmp	false		high
https://instagram.com/graphql/query/?query_hash=	0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false		high
https://chain.api.btc.com/v3/address/	WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmp	false		high
http://127.0.0.1:	0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://service.real.com/realplayer/security/02062012_player/en/	aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp	false		high
https://dogechain.info/api/v1/address/balance/	0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_shockwave	aspnet_regsql.exe, 00000004.00000000.670491811.0000000002897000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673376868.00000000029E9000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706589411.0000000002976000.00000004.00000001.sdmp	false		high
https://api.blockcypher.com/v1/dash/main/addrs/	WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/chrome_newtabu	aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000009.00000003.688734702.0000000005C60000.00000004.00000001.sdmp	false		high
https://instagram.com/	0Jk67LObin.exe, 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, 0Jk67LObin.exe, 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.668098706.00000000024FB000.00000004.00000001.sdmp, 0Jk67LObin.exe, 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmp	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	aspnet_regsql.exe, 00000004.00000002.706286774.00000000028EA000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673081128.00000000028BD000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000002.706346319.0000000002902000.00000004.00000001.sdmp, aspnet_regsql.exe, 00000004.00000000.673109580.00000000028D2000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	541178
Start date:	16.12.2021
Start time:	19:31:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	0Jk67LObin (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/7@2/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 56 Number of non-executed functions: 2
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 23.54.113.53, 20.42.73.29 Excluded domains from analysis (whitelisted): www.bing.com, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, dual-a-0001.a-msedge.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, watson.telemetry.microsoft.com, arc.msn.com Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:32:27	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
208.95.112.1	6VTSHr3nIo.exe	Get hash	malicious	Browse	ip-api.com/json/
	sAHuzbfzyE.exe	Get hash	malicious	Browse	ip-api.com/json/
	uC45gMKvoS.exe	Get hash	malicious	Browse	ip-api.com/json
	Hj67HZkZkG.exe	Get hash	malicious	Browse	ip-api.com/json/
	NFE_87654.MSI	Get hash	malicious	Browse	ip-api.com/json/
	Gonderi.xls	Get hash	malicious	Browse	ip-api.com/json/
	ORD0210467.doc	Get hash	malicious	Browse	ip-api.com/json/
	lRD8O9tHC3.exe	Get hash	malicious	Browse	ip-api.com/json
	hbQlo7Tz3a.exe	Get hash	malicious	Browse	ip-api.com/json
	NotaFiscal.msi	Get hash	malicious	Browse	ip-api.com/json/
	aInjector Win64_x32.exe	Get hash	malicious	Browse	ip-api.com/line/?fields=hosting
	7cOEz96mi8.exe	Get hash	malicious	Browse	ip-api.com//json/102.129.143.62
	O9A0UekqQN.exe	Get hash	malicious	Browse	ip-api.com//json/102.129.143.62
	Emir NO;200938.122022.xls	Get hash	malicious	Browse	ip-api.com/json/
	Envio .xls	Get hash	malicious	Browse	ip-api.com/json/
	c1d35edc-2df8-559b-abe2-5185c1b9b0eb.exe	Get hash	malicious	Browse	ip-api.com/json/
	34CCAE63B50259B758A5B68F579077E5152D9568CD1F9.exe	Get hash	malicious	Browse	ip-api.com/json/
	VA6tIRHaBe.exe	Get hash	malicious	Browse	ip-api.com/json/
	Acciones de Java.js	Get hash	malicious	Browse	ip-api.com/json/
	DY6NIa6uCJ.exe	Get hash	malicious	Browse	ip-api.com/json/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ip-api.com	6VTSHr3nIo.exe	Get hash	malicious	Browse	208.95.112.1
	sAHuzbfzyE.exe	Get hash	malicious	Browse	208.95.112.1
	uC45gMKvoS.exe	Get hash	malicious	Browse	208.95.112.1
	Hj67HZkZkG.exe	Get hash	malicious	Browse	208.95.112.1
	NFE_87654.MSI	Get hash	malicious	Browse	208.95.112.1
	Gonderi.xls	Get hash	malicious	Browse	208.95.112.1
	ORD0210467.doc	Get hash	malicious	Browse	208.95.112.1
	lRD8O9tHC3.exe	Get hash	malicious	Browse	208.95.112.1
	hbQlo7Tz3a.exe	Get hash	malicious	Browse	208.95.112.1
	NotaFiscal.msi	Get hash	malicious	Browse	208.95.112.1
	aInjector Win64_x32.exe	Get hash	malicious	Browse	208.95.112.1
	7cOEz96mi8.exe	Get hash	malicious	Browse	208.95.112.1
	O9A0UekqQN.exe	Get hash	malicious	Browse	208.95.112.1
	Emir NO;200938.122022.xls	Get hash	malicious	Browse	208.95.112.1
	Envio .xls	Get hash	malicious	Browse	208.95.112.1
	c1d35edc-2df8-559b-abe2-5185c1b9b0eb.exe	Get hash	malicious	Browse	208.95.112.1
	34CCAE63B50259B758A5B68F579077E5152D9568CD1F9.exe	Get hash	malicious	Browse	208.95.112.1
	VA6tIRHaBe.exe	Get hash	malicious	Browse	208.95.112.1
	Acciones de Java.js	Get hash	malicious	Browse	208.95.112.1
	DY6NIa6uCJ.exe	Get hash	malicious	Browse	208.95.112.1

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TUT-ASUS	6VTSHr3nIo.exe	Get hash	malicious	Browse	208.95.112.1
	sAHuzbfzyE.exe	Get hash	malicious	Browse	208.95.112.1
	uC45gMKvoS.exe	Get hash	malicious	Browse	208.95.112.1
	Hj67HZkZkG.exe	Get hash	malicious	Browse	208.95.112.1
	NFE_87654.MSI	Get hash	malicious	Browse	208.95.112.1
	lxapct6lYr.exe	Get hash	malicious	Browse	208.95.112.1
	Gonderi.xls	Get hash	malicious	Browse	208.95.112.1
	ORD0210467.doc	Get hash	malicious	Browse	208.95.112.1
	lRD8O9tHC3.exe	Get hash	malicious	Browse	208.95.112.1
	hbQlo7Tz3a.exe	Get hash	malicious	Browse	208.95.112.1
	NotaFiscal.msi	Get hash	malicious	Browse	208.95.112.1
	aInjector Win64_x32.exe	Get hash	malicious	Browse	208.95.112.1
	tGLMnAEvJN.exe	Get hash	malicious	Browse	208.95.112.1
	7cOEz96mi8.exe	Get hash	malicious	Browse	208.95.112.1
	O9A0UekqQN.exe	Get hash	malicious	Browse	208.95.112.1
	Emir NO;200938.122022.xls	Get hash	malicious	Browse	208.95.112.1
	Envio .xls	Get hash	malicious	Browse	208.95.112.1
	c1d35edc-2df8-559b-abe2-5185c1b9b0eb.exe	Get hash	malicious	Browse	208.95.112.1
	diBfYpFaeM.exe	Get hash	malicious	Browse	208.95.112.1
	34CCAE63B50259B758A5B68F579077E5152D9568CD1F9.exe	Get hash	malicious	Browse	208.95.112.1

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspnet_regsql.ex_7d9ce948188d73196cad9527f9d462069337bc_24892b97_16c5322b\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.218173031703613
Encrypted:	false
SSDEEP:	192:TsXrVKHBUZMXCaPug76irsI/u7sJS274ItR:4xiBUZMXCaJ7Z/u7sJX4ItR
MD5:	D283047875B66C4DF2156561A0F28387
SHA1:	8E06DA714F467C99FB8272CE9004AC620CDD9351
SHA-256:	A59D5167AB099CB7A6E880030E244EF11AD705B7F6C8C2434D321F5D3679118D
SHA-512:	9BA4A36D438E0B498ECE711BE2D74261357C294213F08CD519264E453FA558B20C829E64AF7AE45BC425FB398F0ED0CB42A416F074CDF0AD892E9D85C2F7881C
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.1.5.3.1.3.7.3.1.8.3.3.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.1.5.3.1.4.6.1.1.5.1.6.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.4.e.e.1.d.6.-.2.7.b.d.-.4.d.3.6.-.a.c.e.0.-.e.f.b.6.5.8.3.1.d.6.6.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.1.a.5.8.6.5.-.1.c.d.3.-.4.a.7.0.-.a.7.8.7.-.6.e.8.6.f.0.f.1.0.1.5.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.s.p.n.e.t._.r.e.g.s.q.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.s.p.n.e.t._.r.e.g.s.q.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.4.c.-.0.0.0.1.-.0.0.1.b.-.e.1.0.f.-.2.1.3.a.a.b.f.2.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.0.6.9.c.2.3.a.0.d.6.7.8.3.b.2.d.1.6.b.3.e.9.3.e.0.a.c.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DD8.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8300
Entropy (8bit):	3.6922122001078277
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiVHg6b6Ydu6Ggmfx92SH+prr89bPosfflm:RrlsNii6b6Y06GgmfxoSfPbfA
MD5:	266FEDD86D5164AE097F4AC3AABE8C47
SHA1:	BB7FC97B63AA422C56C81A51F0E1C021074DB5E3
SHA-256:	99D5314F1402800E5A977D5B467316E3E6AF0B28BB030DB1ACAE26D3BFF53828
SHA-512:	FD62067A34B61CFFD73F7A55A8D8ACDD3FCD7645A4B80A7008FC5F3C4AF2FBA57A5943F65F55084AA6629DE304916FB059364F0861CE3B79B52C9EE9CCFE53E8
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.3.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2193.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4662
Entropy (8bit):	4.4541108235694145
Encrypted:	false
SSDEEP:	48:cvIwSD8zsQJgtWI9DbWSC8Bj8fm8M4JekmOGFtr+q8b8Nf/4HO6ZRd:uITfW4qSNuJekdCg8NHt6ZRd
MD5:	43EE0F08D27A8498D35E6FCFA567FED7
SHA1:	67DA3264D3739BB844AC687724A713B1B2950EFD
SHA-256:	EF55E232D1075156C4B7490D53EC000836D85B21427C76931EEC5DEC52CA81CE
SHA-512:	B2A59466B3809E017EF8F915D5CD7097C6CFC443FFA260248A6057E57F51DE4CC5F990F9EF6422FA43B5A18535490EAF999E922CD6F358E536D6BF8BCBCB7982
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1300543" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB49.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Dec 16 18:32:21 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	318124
Entropy (8bit):	3.5536379442525985
Encrypted:	false
SSDEEP:	3072:TeCRgxm0Ajd+pBM0RaUCgUEG7369gIOgF5RsbtJIoYHf4:Txj0hpBMBTjU9RpDRsnIk
MD5:	267D1E323E3774AF5AB7AECEC11338FC
SHA1:	60A97AFE0452E0AF60ABADAF361ADFCC8B0010BD
SHA-256:	6739DC30B255568D664F7AA207C77D750648B23F18485F50065CF9A64314FEB3
SHA-512:	E87910ED9148043E4047E2E95255BE9940432DC7D79DBEBD4E17210ADCB24FAC5199C439426D9AF8282E4F4EB7DB07FA786343E847AC244FEAC52D86D3272C90
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......5..a............D............ ..X.......$...D......d,...Z..........`.......8...........T...........@H..l...........h..........T,...................................................................U...........B.......,......GenuineIntelW...........T.......L...%..a.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0Jk67LObin.exe.log Download File
Process:	C:\Users\user\Desktop\0Jk67LObin.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	791
Entropy (8bit):	5.324801073722654
Encrypted:	false
SSDEEP:	24:MLU84qpE4Ks2wKDE4KhK3VZ9pKhIE4Kx1qE4VE4j:Mgv2HKXwYHKhQnoIHKx1qHVHj
MD5:	C94233662E989335E493105919B08442
SHA1:	F73D5AAAB25FABEF9F82F59FADE594179AF177F5
SHA-256:	167BBEB9822C0834648A1ED0B95B19487ED760755F687680DDF93E3C953F31FD
SHA-512:	C86D0C1D4B1D011CA87BC129B6DFBA2F6A3867E0DDDCFED6FFC87467F4B1FB4AFBAD3A86D9387B2565CDD17656A183C17C580DBF719BB82ABB12443E8A5D1B51
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.243189361567807
Encrypted:	false
SSDEEP:	12288:6Vtx+UOkuQFxCqKVjb96doxn3PJAocRJ4/nPUU/URlKKJhXV:8tx+UOkuQF4qKV4M3
MD5:	2C51CE8E8815488D31CBF16DC9643D8B
SHA1:	9F06AD26F5673CBF6E7D6F13A1B64C596E1AF013
SHA-256:	016BBD36DAFA1F7E2419268D9D01104341F2DF3CCF532EBBAC46B9B2EE2BB7D3
SHA-512:	56E60B999669C0736B8919B5FDF140A8620698D9C0AC7F4A2B52A87C106FC95D1595128FFAE60F424FBB817AB9157A2D05C997D7D8EAD0A4DD676A38CE74DD77
Malicious:	false
Reputation:	low
Preview:	regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...@................................................................................................................................................................................................................................................................................................................................................%...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.425379165910535
Encrypted:	false
SSDEEP:	384:2rU5K5NKv4KgnVVeeDze21NKZtjeT8GFwoiRl0fkCfV:2SKcg/eeDze4NYtjrGFwoiR0kCf
MD5:	183715B3D372A993FCD099887C59C51B
SHA1:	0A8D51DDFE4682FA9D91A2A1E84DB9FB438465AA
SHA-256:	48A3AF691EA604B4A2F0F07D71FFD9998A43BC2C1A0F05CC9695BFF5B6E1B198
SHA-512:	0FEA918BAC463A5B30DB74ACC133CD2BE9DC63A4233783B236A33830EC04CE1E265037609A496B691E722A938D299DAC2AD30D75B812A3AF8B700C26B95FC7BE
Malicious:	false
Reputation:	low
Preview:	regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...@................................................................................................................................................................................................................................................................................................................................................#...HvLE.N......G...........RA...{...=,.......................... ..hbin................p.\..,..........nk,..(.@.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..(.@........ ........................... .......Z.......................Root........lf......Root....nk ..(.@.................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.394672331524419
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	0Jk67LObin.exe
File size:	1745272
MD5:	bb9e3c71b3ee3279632905f905ac21c4
SHA1:	a2b1d81ec6a21b52f555f5ec7e9cf9a73f937971
SHA256:	2f60704e2dac47d532955485a04c195dffa41f9e638527ac42c82a224b2202ea
SHA512:	f63faf0d317fa32fa9e091dfb0327752433c94c2d8171ef1d4b988288012de2062c89c37c87513873010e7ea78e71d54981ca17cec333222eb9ad9bbb9600916
SSDEEP:	24576:NIoyw5eQDLx+KtZEoXgGZw3uBXTTGSMB92zsUrobb0C4M7l:JfQKXgEw3iTyurFCJ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[x..........."...0.................. ........@.. ....................................`................................

File Icon


Icon Hash:	0c9ea2b28eb2b200

Static PE Info

General
Entrypoint:	0x59a907
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0xA4785B1C [Sat Jun 9 22:24:28 2057 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/15/2020 10:31:45 PM 12/2/2021 10:31:45 PM
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	658DCC2A890351DF97DC9F05146283C0
Thumbprint SHA-1:	ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B
Thumbprint SHA-256:	E39CC80A0DF6F2BED821D11B49717306138C1D19FD20190336BF1C4297638A79
Serial:	33000001DF6BF02E92A74AB4D00000000001DF

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19a7d0	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19c000	0xee4b	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1a7e00	0x2378	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1ac000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x19a81a	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x19890d	0x198a00	False	0.468245736464	data	6.34245603651	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x19c000	0xee4b	0xf000	False	0.620540364583	data	6.82373938066	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1ac000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
IBC	0x19c19c	0xd544	data
RT_ICON	0x1a96e0	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0x1aa788	0x14	data
RT_VERSION	0x1aa79c	0x334	data	English	Australia
RT_MANIFEST	0x1aaad0	0x37b	ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
LegalCopyright	Copyright Murray Hurps Software Pty Ltd
InternalName	Ad Muncher
FileVersion	4.94.34121 (Free)
CompanyName	Murray Hurps Software Pty Ltd
ProductName	Ad Muncher
ProductVersion	4.94.34121 (Free)
FileDescription	Ad Muncher
OriginalFilename	AdMunch.exe
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Australia
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2021 19:32:09.371824026 CET	49759	80	192.168.2.4	208.95.112.1
Dec 16, 2021 19:32:09.400984049 CET	80	49759	208.95.112.1	192.168.2.4
Dec 16, 2021 19:32:09.403098106 CET	49759	80	192.168.2.4	208.95.112.1
Dec 16, 2021 19:32:09.403618097 CET	49759	80	192.168.2.4	208.95.112.1
Dec 16, 2021 19:32:09.433331966 CET	80	49759	208.95.112.1	192.168.2.4
Dec 16, 2021 19:32:09.491216898 CET	49759	80	192.168.2.4	208.95.112.1
Dec 16, 2021 19:32:30.483086109 CET	49759	80	192.168.2.4	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2021 19:32:09.181931019 CET	49714	53	192.168.2.4	8.8.8.8
Dec 16, 2021 19:32:09.200635910 CET	53	49714	8.8.8.8	192.168.2.4
Dec 16, 2021 19:32:09.316289902 CET	58028	53	192.168.2.4	8.8.8.8
Dec 16, 2021 19:32:09.346518993 CET	53	58028	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 16, 2021 19:32:09.181931019 CET	192.168.2.4	8.8.8.8	0x1cb8	Standard query (0)	59.60.14.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Dec 16, 2021 19:32:09.316289902 CET	192.168.2.4	8.8.8.8	0xcd03	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 16, 2021 19:32:09.200635910 CET	8.8.8.8	192.168.2.4	0x1cb8	Name error (3)	59.60.14.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)
Dec 16, 2021 19:32:09.346518993 CET	8.8.8.8	192.168.2.4	0xcd03	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49759	208.95.112.1	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe

Timestamp	kBytes transferred	Direction	Data
Dec 16, 2021 19:32:09.403618097 CET	1156	OUT	GET /json?fields=query HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Dec 16, 2021 19:32:09.433331966 CET	1156	IN	HTTP/1.1 200 OK Date: Thu, 16 Dec 2021 18:32:08 GMT Content-Type: application/json; charset=utf-8 Content-Length: 26 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 36 32 22 7d Data Ascii: {"query":"102.129.143.62"}

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 0Jk67LObin.exe PID: 6212 Parent PID: 5304

General

Start time:	19:32:02
Start date:	16/12/2021
Path:	C:\Users\user\Desktop\0Jk67LObin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\0Jk67LObin.exe"
Imagebase:	0x10000
File size:	1745272 bytes
MD5 hash:	BB9E3C71B3EE3279632905F905AC21C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.672094044.00000000035DA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.672829409.0000000005E10000.00000004.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.672048822.0000000003578000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.672373133.0000000004480000.00000004.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.671975966.0000000003501000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: dfsvc.exe PID: 6664 Parent PID: 6212

General

Start time:	19:32:05
Start date:	16/12/2021
Path:	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe
Wow64 process (32bit):
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
Imagebase:
File size:	24160 bytes
MD5 hash:	48FD4DD682051712E3E7757C525DED71
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: aspnet_regsql.exe PID: 6732 Parent PID: 6212

General

Start time:	19:32:06
Start date:	16/12/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
Imagebase:	0x470000
File size:	127080 bytes
MD5 hash:	DC0A2353DC4A9CDCF7B0F959DA258B4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.672256233.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.658704616.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.668116597.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.704657920.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.659697803.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.659380466.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.659070021.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: WerFault.exe PID: 5672 Parent PID: 6732

General

Start time:	19:32:15
Start date:	16/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 1368
Imagebase:	0xfd0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.689048137.0000000005C20000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 0Jk67LObin.exe PID: 6212 Parent PID: 5304 0Jk67LObin.exeCOMMON

Executed Functions

Function 05E091C8, Relevance: 7.7, Strings: 5, Instructions: 1458COMMON

Download Yara Rule

Strings

z2O, xrefs: 05E0A828
RX, xrefs: 05E0A7D2
k6., xrefs: 05E09D7A
J$QM, xrefs: 05E09D71
q{8, xrefs: 05E09B72

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID:
String ID: J$QM$RX$q{8$k6.$z2O
API String ID: 0-226258871
Opcode ID: f393b14d993711f5050632eb2f9ca1eb1628e8467b0b4002474f6410badbc36b
Instruction ID: 5b59fccc72a7a1cd24608918931120c5475c5307230305763ced0ff07db856b5
Opcode Fuzzy Hash: f393b14d993711f5050632eb2f9ca1eb1628e8467b0b4002474f6410badbc36b
Instruction Fuzzy Hash: A7E2D174E40219AFDB94CFA9C885ADDF7F1BF89311F14D1A69429E7314DB38AA818F40

Uniqueness

Uniqueness Score: -1.00%

Function 023093C8, Relevance: 3.0, Strings: 2, Instructions: 463COMMON

Download Yara Rule

Strings

(TY7, xrefs: 02309A0F
/TY7, xrefs: 02309A19

Memory Dump Source

Source File: 00000000.00000002.667860404.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID:
String ID: (TY7$/TY7
API String ID: 0-3575619978
Opcode ID: 8329504a75949c2e203c091bae4bc18e22810fc6a4f9b05cfb55f34278d25739
Instruction ID: 23a82133768998ec4263533c94864dbb10b651779357be2d7598f52e0d572a53
Opcode Fuzzy Hash: 8329504a75949c2e203c091bae4bc18e22810fc6a4f9b05cfb55f34278d25739
Instruction Fuzzy Hash: 77F10AB5F042258BDB18CE99CCA13AD76F7ABC8710F19946AD506EB783DA74CC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05E0AEF8, Relevance: 2.8, Strings: 2, Instructions: 303COMMON

Download Yara Rule

Strings

l, xrefs: 05E0AF68
p^Ul, xrefs: 05E0B1D5

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID:
String ID: l$p^Ul
API String ID: 0-1952497666
Opcode ID: f1e52fc434acf59723d83909259fbabf518943493e45e293b2877aa6110f24b7
Instruction ID: dd3e8c700d45fb0a3eb9436a0226670d5bf653f71cbcfec2ba6081b07f66937b
Opcode Fuzzy Hash: f1e52fc434acf59723d83909259fbabf518943493e45e293b2877aa6110f24b7
Instruction Fuzzy Hash: 1DA11471B14214CBDB04DEA8D8616FE77ABBB84214F14782BE847EB384EE35CD918785

Uniqueness

Uniqueness Score: -1.00%

Function 05E0AF70, Relevance: 2.8, Strings: 2, Instructions: 270COMMON

Download Yara Rule

Strings

p^Ul, xrefs: 05E0B1D5
p^Ul, xrefs: 05E0B1E1

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID:
String ID: p^Ul$p^Ul
API String ID: 0-3796472126
Opcode ID: 170c8bbb29ba48ed17070781436fbd0772daf95e3e17511c58a8754a0c886f06
Instruction ID: 9f3f22720cd7d23254c2a47fcb307408814b29f0baeae555f56da6c8d2198473
Opcode Fuzzy Hash: 170c8bbb29ba48ed17070781436fbd0772daf95e3e17511c58a8754a0c886f06
Instruction Fuzzy Hash: 8E913971F14218CBDB04DEB8D8612BE76EBBB88600F15782AF446EB384EE75CD518781

Uniqueness

Uniqueness Score: -1.00%

Function 023089E0, Relevance: 1.8, APIs: 1, Instructions: 308memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02308D3B

Memory Dump Source

Source File: 00000000.00000002.667860404.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e0b629bf975ef6e1e3ab7217acd7ea2014ebbf83e2ad5da63002f61ef014c68d
Instruction ID: 99306a91bb8a3b8756848fc77a3973e8045f4e7259f53af8e8cd72979399ffc1
Opcode Fuzzy Hash: e0b629bf975ef6e1e3ab7217acd7ea2014ebbf83e2ad5da63002f61ef014c68d
Instruction Fuzzy Hash: CBC19271E002198FCB14CFA9C8906AEBBF5FF88314F15856AD455EB392D738D985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02309398, Relevance: 1.7, Strings: 1, Instructions: 477COMMON

Download Yara Rule

Strings

(TY7, xrefs: 02309A0F

Memory Dump Source

Source File: 00000000.00000002.667860404.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID:
String ID: (TY7
API String ID: 0-4239629747
Opcode ID: 34efb31fdcd1815e92638ba15fe605c36a3527d44acb72aa62c211ac6e74f36d
Instruction ID: 8e74c497382c0adee06555beef1bf48509702ded247cca630c1b9724f095427d
Opcode Fuzzy Hash: 34efb31fdcd1815e92638ba15fe605c36a3527d44acb72aa62c211ac6e74f36d
Instruction Fuzzy Hash: 88F11BB5F042258BDB18CE99CCA13AD76F7ABC8710F18946AD446DB793DA74CC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02300748, Relevance: 1.6, APIs: 1, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02300764

Memory Dump Source

Source File: 00000000.00000002.667860404.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 32e3622627f3bc76bdbfca8eb754de5d232f729a30796ed9125428699928883c
Instruction ID: 1a0ae34c832ecaab262177824f49b082c2e666e4fd19bed386013f7eba35d799
Opcode Fuzzy Hash: 32e3622627f3bc76bdbfca8eb754de5d232f729a30796ed9125428699928883c
Instruction Fuzzy Hash: 6F21A3347001145FD318EB7DD86576BB2EAEBC9A14F14843DE50ADB389DFB49C4287A2

Uniqueness

Uniqueness Score: -1.00%

Function 0230AA80, Relevance: .5, Instructions: 541COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.667860404.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3871d0398a8a1263e76e11ef6dafcd63b0c27879faf4844e3e8686e6932d47e2
Instruction ID: 6d682da6b21dfa52e55e14e95b8ec8982b044603449f3512a9c1333d0da03c11
Opcode Fuzzy Hash: 3871d0398a8a1263e76e11ef6dafcd63b0c27879faf4844e3e8686e6932d47e2
Instruction Fuzzy Hash: 6522F6756001149FCB05DFA8C994E69BBB6FF8C714B1680A8E6069F376CB31EC51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02302AE8, Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.667860404.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3140291a40f37e6e40d130d89a51100207ba7a9af0060ccc81a23142be2f383a
Instruction ID: 148bea1632c5112472fd77825169ed22270c7872c41b4a7c05c8f8032da2bf14
Opcode Fuzzy Hash: 3140291a40f37e6e40d130d89a51100207ba7a9af0060ccc81a23142be2f383a
Instruction Fuzzy Hash: 17129070B002199FDB14DFA8C894BAEBBF6BF88704F148469E906DB395DB309D41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0230B288, Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.667860404.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1fb680b1d9720879d8b4737dadf977119a103d5dc1bc7415a9037d4d86c43d
Instruction ID: 0a3b15b051a48093095ff58304ea8afc6da97955b388ec0a91bf30b9741d5970
Opcode Fuzzy Hash: ea1fb680b1d9720879d8b4737dadf977119a103d5dc1bc7415a9037d4d86c43d
Instruction Fuzzy Hash: 8D12C335A002158FCB05DFA4C894BEEBBB6FF88314F158569E455AB392D730ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02303110, Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.667860404.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b954debb2baa4ed1f60fcddfd86e64ff4dbfb009f4937a14c748362f5e35cf
Instruction ID: d002a7271c8d9122bf93f5fdb970cd9c4e9d413ba3498b42274bb9bd08fcdc08
Opcode Fuzzy Hash: d7b954debb2baa4ed1f60fcddfd86e64ff4dbfb009f4937a14c748362f5e35cf
Instruction Fuzzy Hash: 22025C30A04109DFCB15DFA9C8D8AADBBF6FF89314F1584AAE415AB2A1D730DC45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05E032A8, Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f81f53beefb3550c7b3ba9c9777299236e6f0b8f1bc9fcfbc033f775eb681424
Instruction ID: dbfd83f4b889a7156b0733c4dc7a3aae8f9b2e8401b71b56039e31fd1bcc15d2
Opcode Fuzzy Hash: f81f53beefb3550c7b3ba9c9777299236e6f0b8f1bc9fcfbc033f775eb681424
Instruction Fuzzy Hash: BCB11776B10124CBD708CAA9D85466A76F3ABCC710F1AED26E587EB384DF74CC524782

Uniqueness

Uniqueness Score: -1.00%

Function 05E03298, Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d6257184bb4627126d82eda17f4e24f7cc11987bde8b26dbb73cc1cdc85cbd
Instruction ID: 570a91d22aac96849f7f1b875e3a5c80ddbfaac784999e71721f4cbc7834916c
Opcode Fuzzy Hash: a1d6257184bb4627126d82eda17f4e24f7cc11987bde8b26dbb73cc1cdc85cbd
Instruction Fuzzy Hash: 2CB11676B10124CBDB08CA69D85466A76F3ABCC710F1AED26E587EB384DF74CC514782

Uniqueness

Uniqueness Score: -1.00%

Function 05E0332A, Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981f8b03b2f7e1662a3cc919992e5e151a0d71ae5549654bdae3758f73389b
Instruction ID: 8beee334a03df4b234a6b72c8a4e403fca68abd511d1e010d3447b44d0858a2d
Opcode Fuzzy Hash: dc981f8b03b2f7e1662a3cc919992e5e151a0d71ae5549654bdae3758f73389b
Instruction Fuzzy Hash: 19B12776B14124CBD708CA68D89466976E3ABCC710F1AEC26E587EB3C4DF74CC524782

Uniqueness

Uniqueness Score: -1.00%

Function 0230BDB0, Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.667860404.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70828569eb66738733376910159b218348c80d226f3ea8f4d1708a8a9a70830b
Instruction ID: cc8b017df1018ca8967e935ea2435d983c539a1cb0d8452fce934dbdfa4e2327
Opcode Fuzzy Hash: 70828569eb66738733376910159b218348c80d226f3ea8f4d1708a8a9a70830b
Instruction Fuzzy Hash: D0D14F74A002499FDB14CFA8D590AAEFBF2BF48314F14C569E8459B396D735DC81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05E03C09, Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427fb171eb7ba0ad8ca6b91f7cce47eb89068afe12424455b541faf97a599f58
Instruction ID: 81f2733802a9d230b3db195367f8621a7d003f99ab3983ee5d6b91eec2c87053
Opcode Fuzzy Hash: 427fb171eb7ba0ad8ca6b91f7cce47eb89068afe12424455b541faf97a599f58
Instruction Fuzzy Hash: C1612F76F5022887D708CFA9CC916AEB6E7BBCC610B15A52AE516FB394DA34CC0247D1

Uniqueness

Uniqueness Score: -1.00%

Function 05E03C18, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3190fbdc652e16216d6b6dfbb0e646ee550d86a9ccc04b1ec8a1155cc7923145
Instruction ID: 9f1e16276de1825fcced0b465396b2aed9eb06ed8f773e44f9dd4399ae2e22db
Opcode Fuzzy Hash: 3190fbdc652e16216d6b6dfbb0e646ee550d86a9ccc04b1ec8a1155cc7923145
Instruction Fuzzy Hash: 53512076F5022887DB08CFA9CC516AFB6E7BBCC610B15A52AE516FB394DA34CC0247D1

Uniqueness

Uniqueness Score: -1.00%

Function 02300744, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02300764

Strings

WVSP, xrefs: 02300745

Memory Dump Source

Source File: 00000000.00000002.667860404.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: WVSP
API String ID: 2994545307-3847415142
Opcode ID: 2ca350543ab3f28f69a40ed5a7f0338068b7030d3904fc17378240e7266b8772
Instruction ID: 9bd4a0083abe3bba2445d2ddb10a2b1699fa1c9859097f4f1296b41830e45efe
Opcode Fuzzy Hash: 2ca350543ab3f28f69a40ed5a7f0338068b7030d3904fc17378240e7266b8772
Instruction Fuzzy Hash: C42192343001148FD718EB7CD86576AB2EAEBC9A14F14C52DE50ADB389DFB59C4287A2

Uniqueness

Uniqueness Score: -1.00%

Function 05E0C655, Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05E0C896

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 83b6c56a52c7f0cd5366f7f439403d60ffbb733d3e8b5059b7067aa84d00a5cc
Instruction ID: 7cd0d740caca1a17b0ae379745a30a6d79946749ae92674e2ba75cb698270230
Opcode Fuzzy Hash: 83b6c56a52c7f0cd5366f7f439403d60ffbb733d3e8b5059b7067aa84d00a5cc
Instruction Fuzzy Hash: AAA13B71D04219DFEB10CFA8C881BEDBBB2BF48318F149669D889A7280D77499C5DF91

Uniqueness

Uniqueness Score: -1.00%

Function 05E0C660, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05E0C896

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 033858398d939d8858d2b68c59de766ce38cb4800b21a3c6650983e1bc2b2311
Instruction ID: b9edc3a1db1d14cf9e06e4d48f2a29073bc70404cb5ca71a9b8bc6a779012405
Opcode Fuzzy Hash: 033858398d939d8858d2b68c59de766ce38cb4800b21a3c6650983e1bc2b2311
Instruction Fuzzy Hash: 4E914C71D04219DFEF10CFA8C841BEDBBB2BF48318F149669D849A7280DB749985DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02300569, Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(00000000,00000000), ref: 02300629

Memory Dump Source

Source File: 00000000.00000002.667860404.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 13e00af11b771d1ac724e24db236a3ca5ebafe6253e646bc2049cdc63a980256
Instruction ID: 612f66807117c40c174fc732ebe5f2c09719f22228ae8400702ddb05d6dc228f
Opcode Fuzzy Hash: 13e00af11b771d1ac724e24db236a3ca5ebafe6253e646bc2049cdc63a980256
Instruction Fuzzy Hash: 6441D335B045049FDB08AB789C657AEB7EBEBC9600F18802EE506E7394CF718C068791

Uniqueness

Uniqueness Score: -1.00%

Function 0230C4C0, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.667860404.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6b5a4439dbff11e0888e9549f8741262221292f096f73c57a705d60294c10b03
Instruction ID: b43ac30d7d5a67ca936e07dc8dfab0c9c038603f0f3002ac3786f98e69a5d7d6
Opcode Fuzzy Hash: 6b5a4439dbff11e0888e9549f8741262221292f096f73c57a705d60294c10b03
Instruction Fuzzy Hash: 27315A75D003089FCB00DFA9C444BEEBBF5AF48314F10886AE958A7741DB389A45DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05E0C3D0, Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05E0C468

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bb5992087c8b343565ba1ed9142508095f330a7c0976c8a2594f9e49b98f69ba
Instruction ID: 37b52cab76f401efd5ecb7616eb61b0bbf59468aa1c5ea0bcbac27c35c3e855d
Opcode Fuzzy Hash: bb5992087c8b343565ba1ed9142508095f330a7c0976c8a2594f9e49b98f69ba
Instruction Fuzzy Hash: 602157B59003099FCB00CFA9C8857EEBBF5FF48314F50882AE959A7240C7789985DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05E0C3D8, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05E0C468

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: acab96736d56fd0fe4071ecd653d827a326d5db1e278fba2af214c3f06ec1321
Instruction ID: 744a7043c0f466f6d5549df63243bdc8bc6f111619b5dda6c9f5562928f7ed33
Opcode Fuzzy Hash: acab96736d56fd0fe4071ecd653d827a326d5db1e278fba2af214c3f06ec1321
Instruction Fuzzy Hash: 682178719003499FCF10CFA9C884BEEBBF5FF48314F50882AE959A7240C7789985DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05E0C238, Relevance: 1.6, APIs: 1, Instructions: 65threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 05E0C2BE

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: d5ab0863362a753706270399854997172b1034238108d4ab60dc9eb4c694abbb
Instruction ID: d45ebb9e3e183e30db7eecdd11085a1495a324c2dc5fc537bfb6d3577b22aadd
Opcode Fuzzy Hash: d5ab0863362a753706270399854997172b1034238108d4ab60dc9eb4c694abbb
Instruction Fuzzy Hash: 332168B1D006098FDB10CFE9C4857EEBBF5FF48218F54982AD559A7640CB789985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05E0C240, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 05E0C2BE

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: b89d638afbf5245ec809a4ae3a21d79548ce505a0b160fb9d1e9409eda84230f
Instruction ID: 6b327491192a20248c4415c6bb2a8758e3439cfd108ae3862aefe9b1ea2cc462
Opcode Fuzzy Hash: b89d638afbf5245ec809a4ae3a21d79548ce505a0b160fb9d1e9409eda84230f
Instruction Fuzzy Hash: 1E2138719002098FDB10CFEAC4847EEBBF5EF58218F54982AD459A7640CB789985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02309CE0, Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0230C5A3

Memory Dump Source

Source File: 00000000.00000002.667860404.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 402eb48fbfb5ffa498fa7c6404b4daf9582b99936315811d226c6483140a3077
Instruction ID: 0323d71d9e83b02bb78467f2a30368eea23c2464452f9a37379d0c8501276371
Opcode Fuzzy Hash: 402eb48fbfb5ffa498fa7c6404b4daf9582b99936315811d226c6483140a3077
Instruction Fuzzy Hash: AC2149B59002099FCB10CF9AC484BEEBBF5FF48320F14842AE958A7241D774A685CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02309CE4, Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0230C5A3

Memory Dump Source

Source File: 00000000.00000002.667860404.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7d2383d7d5a954f8746e948cee2a62b60426b72c7574ab9451de8f2c9e2a29e9
Instruction ID: 22ec941b1e7f4d4e3b15df0677aaea47cb6c46addeec67277926aa4f9c6b3c2b
Opcode Fuzzy Hash: 7d2383d7d5a954f8746e948cee2a62b60426b72c7574ab9451de8f2c9e2a29e9
Instruction Fuzzy Hash: DF213B759002099FCB10CF9AC484BDEBBF5EF48324F14842AE558A7641D774A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02308CC8, Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02308D3B

Memory Dump Source

Source File: 00000000.00000002.667860404.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6a7625083941e9e22ec95dd1a72f8b289ef8b6eeb213aafa7dae5c724e7b32c8
Instruction ID: 578533de7ae120d442737b6951550320714d31fd532cf0f061afb49517057a3c
Opcode Fuzzy Hash: 6a7625083941e9e22ec95dd1a72f8b289ef8b6eeb213aafa7dae5c724e7b32c8
Instruction Fuzzy Hash: 992117B5D002099FCB10CF9AC484BDEBBF5FF58324F14842AE568A7640D778A585DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05E0C311, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05E0C386

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1028c8c1820842f4eb995430072a3dd66875eee50399c0ea34eb0ce2d0c769ee
Instruction ID: 7ee027085c4e90d9a02bb81dcca19f7cc0de317488600b138c005c46d2671e94
Opcode Fuzzy Hash: 1028c8c1820842f4eb995430072a3dd66875eee50399c0ea34eb0ce2d0c769ee
Instruction Fuzzy Hash: EB116A718002499FCF10DFA9C8447EFBBF5EF48324F14882AE559A7250C7759984DF91

Uniqueness

Uniqueness Score: -1.00%

Function 05E0C318, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05E0C386

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a2136e5b6c11a20c57c21108045f97c85662f3846315c7168eeea45bb61909f9
Instruction ID: ce49414d7de491baa780c69a5e6d61776c5efdc006e705e1770ebeff730a94e1
Opcode Fuzzy Hash: a2136e5b6c11a20c57c21108045f97c85662f3846315c7168eeea45bb61909f9
Instruction Fuzzy Hash: 20116A718003489FCB10CFA9C8447EFBBF9EF48314F148819D559A7240C7759944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05E0C189, Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05E0C1F2

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ab62c3ee59bb3d5c6326ef8265586b2bddcb44e2b1d50d3b6f7e9c89594a48a1
Instruction ID: 0d0bd759b2f5b28e536553547f0db8a4bbc68eccf2cc3a9b2f6ac14eb510ff2e
Opcode Fuzzy Hash: ab62c3ee59bb3d5c6326ef8265586b2bddcb44e2b1d50d3b6f7e9c89594a48a1
Instruction Fuzzy Hash: 6C1158B59002498BCB10CFE9C4857EEFBF5AF48228F24882AC559B7640CB789985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05E0C190, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05E0C1F2

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e24aa02709b210f9cfa79e5a66b6ebc1c5ec01e4aeb321678ae81245285134cc
Instruction ID: 386f942a7a1629b549fdde4fd044d5b6cc238fa4f3a40ec03a063b76d7bc2c78
Opcode Fuzzy Hash: e24aa02709b210f9cfa79e5a66b6ebc1c5ec01e4aeb321678ae81245285134cc
Instruction Fuzzy Hash: F91128719002488BDB10DFAAC4447EFFBF9AB58224F24882AD559A7640CB75A985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 044D54CC, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672446006.00000000044D0000.00000040.00000001.sdmp, Offset: 044D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4704cc56bb5d8ad121f458bf0b10baa610aba04dc1635740b617843b550ccde3
Instruction ID: 7381fb34996664b0affd56ce25be0b07d253fe0b44751c16ce094cfa2c9f410e
Opcode Fuzzy Hash: 4704cc56bb5d8ad121f458bf0b10baa610aba04dc1635740b617843b550ccde3
Instruction Fuzzy Hash: 8AE026725243805FC7011775AC0A2887FF4DB49625F0040BAE485C3241DE3A88028B80

Uniqueness

Uniqueness Score: -1.00%

Function 0089D01C, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.667613776.000000000089D000.00000040.00000001.sdmp, Offset: 0089D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 259f8274c858fc6b21061956c6951d09eb9a74c6e0680bbb02e0b4631e68cc7b
Instruction ID: 7621c2dd7827e9fd2772417ed30ad0a8406ce0ff35d15f68973c6756db537989
Opcode Fuzzy Hash: 259f8274c858fc6b21061956c6951d09eb9a74c6e0680bbb02e0b4631e68cc7b
Instruction Fuzzy Hash: B5210375504B44DFCF14EF54D9C4B16BBA5FB88318F2889A9E8098B246C336D847DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0089D017, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.667613776.000000000089D000.00000040.00000001.sdmp, Offset: 0089D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d31d1aada61d75af2aa4b01c916ba1c9b73b3dd3d1267767acef529949e5d5c
Instruction ID: 1d6cd66fe85e4b800ad7f857521f4b19a6e7ed2788821494fc860827f23cb0cd
Opcode Fuzzy Hash: 4d31d1aada61d75af2aa4b01c916ba1c9b73b3dd3d1267767acef529949e5d5c
Instruction Fuzzy Hash: 3B11AF75504780CFCF15DF14D9C4B16BF61FB84314F28C6A9D8094B656C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02320079, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.667905722.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d50606a3d8c9d233696fcd21863d27e384b5dab621ab0e1d44fdc9c6e18887
Instruction ID: 3a852ee33f55fc762f16149ccac17e4fe58cd6f48b200a2bb54b1929c598ded0
Opcode Fuzzy Hash: 22d50606a3d8c9d233696fcd21863d27e384b5dab621ab0e1d44fdc9c6e18887
Instruction Fuzzy Hash: AE01A93500D3D1AFE7175B389C686A17FB19F63245B0A94C6D5C09F0B7C525186EEB22

Uniqueness

Uniqueness Score: -1.00%

Function 044D5224, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672446006.00000000044D0000.00000040.00000001.sdmp, Offset: 044D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fcf3448d43cc2c5e7b19f6e64dfd885bfe2a6aa9a2c9794524427ec46e3b452
Instruction ID: 945adc7a320814cc5b6c19c540aa0f89d7c622121541b053bcf970edcd811bfd
Opcode Fuzzy Hash: 4fcf3448d43cc2c5e7b19f6e64dfd885bfe2a6aa9a2c9794524427ec46e3b452
Instruction Fuzzy Hash: 8EF0E982A092485BCA16BBBCA8726FA3B9AAD5610CB440CDB91C689152FD05E5C97393

Uniqueness

Uniqueness Score: -1.00%

Function 02320121, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.667905722.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae9d497d6ad28528c79a71f62e6e4779bc00e2f96300e396a3c6d315cc84743
Instruction ID: 85fce0f95c9ac7b1b8adb58c2489bbf12fc79559cbc9f8df2fccafcf16a84962
Opcode Fuzzy Hash: 2ae9d497d6ad28528c79a71f62e6e4779bc00e2f96300e396a3c6d315cc84743
Instruction Fuzzy Hash: 80E0BD2500E3C25FC7435B388870191BFB2AE9768070A04CBE0D0CF0B3D5291CAEE722

Uniqueness

Uniqueness Score: -1.00%

Function 0232008C, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.667905722.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d580bd8b15cafb1a25bf4afc33261a28507a1cca74acd989458a1884c1f569
Instruction ID: 06f8835d8903bfee7feb6ecd5020af217f558d261753ebe97348abfda71bbb59
Opcode Fuzzy Hash: 26d580bd8b15cafb1a25bf4afc33261a28507a1cca74acd989458a1884c1f569
Instruction Fuzzy Hash: 69E0422400E7C16ED7575B388864AA5BFB1AFA7640B4E94EBD1C4CF4B3C229099DD722

Uniqueness

Uniqueness Score: -1.00%

Function 023200F1, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.667905722.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b0bd21ad409f2861d953b7cdab5f47c9131bbc903536c5ceb4f88c0b5e2b7f
Instruction ID: a72911b3bb01d48a880c883c0c02653a141402a1c1a0269388677f043e9c59d3
Opcode Fuzzy Hash: c0b0bd21ad409f2861d953b7cdab5f47c9131bbc903536c5ceb4f88c0b5e2b7f
Instruction Fuzzy Hash: DAE02D2540E3C25FD747677448705807FB26E6718574E08D7D4D1CF4B3D519286EDB62

Uniqueness

Uniqueness Score: -1.00%

Function 044D51DF, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672446006.00000000044D0000.00000040.00000001.sdmp, Offset: 044D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1734fa89c41833a4712e3d6ff74297ba738a6fde496d6d6855375b9e1efb4a76
Instruction ID: 178a622b6884f7bc970258b8f3a6819249b394dddd16b4ef9b81c327b96df6cb
Opcode Fuzzy Hash: 1734fa89c41833a4712e3d6ff74297ba738a6fde496d6d6855375b9e1efb4a76
Instruction Fuzzy Hash: 2DE02671A582454FCB00EFF05A152FE3BE1ABC6104B4009EAC045D7144EE7949018B41

Uniqueness

Uniqueness Score: -1.00%

Function 044D51F0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672446006.00000000044D0000.00000040.00000001.sdmp, Offset: 044D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c75fadb46b2c7bd89675268952ab92f08059c4b0a80fd58d99002878795143c
Instruction ID: b9d473c06f63c523267844d1319620af68e9f47e7008678c5173fef40e42da60
Opcode Fuzzy Hash: 6c75fadb46b2c7bd89675268952ab92f08059c4b0a80fd58d99002878795143c
Instruction Fuzzy Hash: 7DD0A77062430C9B4B04FFF499195BE7AA9AB84208F414DA9D606D7244EE71990017D2

Uniqueness

Uniqueness Score: -1.00%

Function 044D5638, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672446006.00000000044D0000.00000040.00000001.sdmp, Offset: 044D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b2929f0925c835e5a9edbc5f85105edc7e2d7df5109f9a4128952e0817dfa89
Instruction ID: 7f7be7ab7375bea3ff9631a75f3b16714ec7cea00ab5bef27385bf482b2160f8
Opcode Fuzzy Hash: 0b2929f0925c835e5a9edbc5f85105edc7e2d7df5109f9a4128952e0817dfa89
Instruction Fuzzy Hash: 78D0C9316202549B8B142B7AB909099BEE9DB8966A70044BAB84AC3300DE7688018790

Uniqueness

Uniqueness Score: -1.00%

Function 0232015C, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.667905722.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7aaa760b6c6a343ee6abdc7e38de6b5fa68b255fca2210e720f092e1300b2d4
Instruction ID: 316aff8a5372d6edc4c83c0217f357faf41f89159b0c77f33d545b30fc9063f0
Opcode Fuzzy Hash: f7aaa760b6c6a343ee6abdc7e38de6b5fa68b255fca2210e720f092e1300b2d4
Instruction Fuzzy Hash: AAD0926114D3E15FC34367648C649967F756E2311130A44CBD4C08A0B3C118185ED732

Uniqueness

Uniqueness Score: -1.00%

Function 044D51C0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672446006.00000000044D0000.00000040.00000001.sdmp, Offset: 044D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f331b5f21880b197f4d62295cd0223cf976dac17e2ef164789682550280407
Instruction ID: 6c677f89db7be29458e222fa0ff4d29fce260a9ef18de3c1e6e19f0b4fd7f8ff
Opcode Fuzzy Hash: 68f331b5f21880b197f4d62295cd0223cf976dac17e2ef164789682550280407
Instruction Fuzzy Hash: E3C04CBE21010097D614DAB2DC52759B392DB86214F19C899A8458B345DB27EE03D660

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02309EF8, Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.667860404.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1cae90d613f141bbfc181e28ae55f2baa547960574f8647a5a8870ec0f78b5b
Instruction ID: d87b7777a182d9bfa827081d5bb7f274599caf096a90b509f9a4eb7bdf4c28a8
Opcode Fuzzy Hash: c1cae90d613f141bbfc181e28ae55f2baa547960574f8647a5a8870ec0f78b5b
Instruction Fuzzy Hash: 6612C331A002159FCB04DFA8D894AAEBBF6FF88310F158569E445EB392DB34DD41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05E025E9, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672816404.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1437918088d587fef26a5693e69f1dbbf13e13e05d5ab39f2ee9f28ffdf481
Instruction ID: 13a26e10bac97c1afc8e7fb5060702bfc804b99e004fe24a112087c7803327ab
Opcode Fuzzy Hash: 6a1437918088d587fef26a5693e69f1dbbf13e13e05d5ab39f2ee9f28ffdf481
Instruction Fuzzy Hash: B2617627F442344BD7049A7CCC952BE67D79FC851835AA56ACC4AEF389EE348E0647C1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: aspnet_regsql.exe PID: 6732 Parent PID: 6212 aspnet_regsql.exeCOMMON

Executed Functions

Function 05FF2520, Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 05FF258D

Memory Dump Source

Source File: 00000004.00000002.707724242.0000000005FF0000.00000040.00000010.sdmp, Offset: 05FF0000, based on PE: false

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: bbba79fd2ae299482f65b3e52d994f69d3d608f4032fa5443d5ad26ce906ece6
Instruction ID: 7e260e6904a43c6534ae24f2faf4aa17723e8b0f0950948f6d352296888a9ac6
Opcode Fuzzy Hash: bbba79fd2ae299482f65b3e52d994f69d3d608f4032fa5443d5ad26ce906ece6
Instruction Fuzzy Hash: 69113776800209DFCB10CF99C945BEEBBF5FF48324F148819E614A7610C379A995DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05FF1718, Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 05FF258D

Memory Dump Source

Source File: 00000004.00000002.707724242.0000000005FF0000.00000040.00000010.sdmp, Offset: 05FF0000, based on PE: false

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: a62b2716e2623f3b0bdb5a32b5a44e4daea715a7920ccfcd6843650ff1524267
Instruction ID: c695dd6a660ffb70dc68f0fc39f1b63b312f8265f6a660ba58adb5946f46494c
Opcode Fuzzy Hash: a62b2716e2623f3b0bdb5a32b5a44e4daea715a7920ccfcd6843650ff1524267
Instruction Fuzzy Hash: 851156B6800209DFCF10CF99C844BEEBBF5EF48320F148419EA14A7610C379AA95DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026A31F4, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 026A5C7F

Memory Dump Source

Source File: 00000004.00000002.705670951.00000000026A0000.00000040.00000001.sdmp, Offset: 026A0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f2ae795d26551e0c9e09c4d8a014c2f2a1f75b9659dbe96edcbf791920dd6d8d
Instruction ID: 4681821db393ffcd28deb6c23ff1f937a464f7e3ce8a142a417a570cb3132ff8
Opcode Fuzzy Hash: f2ae795d26551e0c9e09c4d8a014c2f2a1f75b9659dbe96edcbf791920dd6d8d
Instruction Fuzzy Hash: 6C4146B0D00608DFDB10CFA9C89479EBBF1EB48714F148529E816EB344E7B49886CF81

Uniqueness

Uniqueness Score: -1.00%

Function 026A5B8D, Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 026A5C7F

Memory Dump Source

Source File: 00000004.00000002.705670951.00000000026A0000.00000040.00000001.sdmp, Offset: 026A0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 50c06722ebe1629af76fd80012a047870f83f2a0ef898cf008bfe4d1c400291c
Instruction ID: 8f5deff33a358fb1f6c857d5808543fa7f1b9e7bec8cffadfc4770716a6998dc
Opcode Fuzzy Hash: 50c06722ebe1629af76fd80012a047870f83f2a0ef898cf008bfe4d1c400291c
Instruction Fuzzy Hash: FE4146B1D00648DFDB14CFA9C89579EBBF1EB48714F148529E816EB384E7B49886CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00C5D3C8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.705116660.0000000000C5D000.00000040.00000001.sdmp, Offset: 00C5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002607a6925e0a229c4c111d59b06ccc4b5c4566e6264beeec727e144e5c82c9
Instruction ID: c3f430d46ccae7bd67e41b0f8a3ba69f67fd7e3cd3e35ab1e2ce010d560ac562
Opcode Fuzzy Hash: 002607a6925e0a229c4c111d59b06ccc4b5c4566e6264beeec727e144e5c82c9
Instruction Fuzzy Hash: 47213A79500304DFDB20DF50D9C0F56BBA5FB94325F24C969EC060B246C336E88ADBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C5D4B4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.705116660.0000000000C5D000.00000040.00000001.sdmp, Offset: 00C5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3de97914771c1db85502b175c26ac4533b16788208a702603f5d728c6c81cf
Instruction ID: dbd0ee0c7d2d00a1b59fc368edb0dc9d91ae6c9f0418fadb64d325e349327375
Opcode Fuzzy Hash: 4b3de97914771c1db85502b175c26ac4533b16788208a702603f5d728c6c81cf
Instruction Fuzzy Hash: C72128B5500344DFCB21DF50D8C0B66BBA5FB98329F64C969EC060B246D336E989DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C5D3C3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.705116660.0000000000C5D000.00000040.00000001.sdmp, Offset: 00C5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680e0516ba8d70b603186db4142f203c147077507b90b7fd913390acd65f2ef2
Instruction ID: 38338cf13ecaaabbc3d5758476ebfe3a3fe353440e565b3432a1079638abd299
Opcode Fuzzy Hash: 680e0516ba8d70b603186db4142f203c147077507b90b7fd913390acd65f2ef2
Instruction Fuzzy Hash: AF11B176404280CFCB11CF10D5C4B16BF72FB94324F24C6A9DC0A0B656C336E99ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C5D4AF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.705116660.0000000000C5D000.00000040.00000001.sdmp, Offset: 00C5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680e0516ba8d70b603186db4142f203c147077507b90b7fd913390acd65f2ef2
Instruction ID: dfa5907cd53f6bfaaf877b43439c5247503da6e0cbd2694530fcb20c30e99b6a
Opcode Fuzzy Hash: 680e0516ba8d70b603186db4142f203c147077507b90b7fd913390acd65f2ef2
Instruction Fuzzy Hash: 7511B1B6404280CFCB12CF14D5C4B16BF71FB94324F24C6A9DC090B656D336D99ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C5D617, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.705116660.0000000000C5D000.00000040.00000001.sdmp, Offset: 00C5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f299bb44b5d08f6d3df19d406b5c89e3101cc8969d7f5d9e50702002db547d6
Instruction ID: 32664dbdf6f8a414f4d5d5d1d7e6d642397fc6b0d5ae9829f4d569bee87e01dc
Opcode Fuzzy Hash: 3f299bb44b5d08f6d3df19d406b5c89e3101cc8969d7f5d9e50702002db547d6
Instruction Fuzzy Hash: 0BF01D76200600AF93208F0ADD85C27FBADFBC5775715C49AE84E4B712C671EC82CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C5D608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.705116660.0000000000C5D000.00000040.00000001.sdmp, Offset: 00C5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a52fb163369670d5875807ae353ced095a0abc011f3f15c5deadfe21b7df204a
Instruction ID: c4fb0b41ec39073229bab832985f180dbc9cf54a28e8d8538071a6406d59c2f3
Opcode Fuzzy Hash: a52fb163369670d5875807ae353ced095a0abc011f3f15c5deadfe21b7df204a
Instruction Fuzzy Hash: DAF0FF75104640AFD325CF06CD85C23BBB9FB86760719848DE85A4B352C670FC46CB60

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 0Jk67LObin

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: JesterStealer

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre