Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5GPueTFF2S.exe

Overview

General Information

Sample Name:5GPueTFF2S.exe
Analysis ID:764034
MD5:7d124bc23be85d73b1177143f41b5e72
SHA1:09633b90a0b993fd4dec6d522a1243433fc3ab10
SHA256:04805512d670fb5f37bdf17bf00aae6976650f82c0b4bd342f3506d204f7aea2
Tags:32exetrojan
Infos:

Detection

Amadey, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Amadeys stealer DLL
Malicious sample detected (through community Yara rule)
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Yara detected Vidar stealer
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Overwrites code with function prologues
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Self deletion via cmd or bat file
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Drops PE files
Uses cacls to modify the permissions of files
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 5GPueTFF2S.exe (PID: 5848 cmdline: C:\Users\user\Desktop\5GPueTFF2S.exe MD5: 7D124BC23BE85D73B1177143F41B5E72)
    • 75873290272674793137.exe (PID: 6132 cmdline: "C:\ProgramData\75873290272674793137.exe" MD5: 2239A58CC93FD94DC2806CE7F6AF0A0B)
      • gntuud.exe (PID: 5292 cmdline: "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" MD5: 2239A58CC93FD94DC2806CE7F6AF0A0B)
        • schtasks.exe (PID: 5724 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 3644 cmdline: "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 2160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 4628 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cacls.exe (PID: 3856 cmdline: CACLS "gntuud.exe" /P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
          • cacls.exe (PID: 4760 cmdline: CACLS "gntuud.exe" /P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
          • cmd.exe (PID: 4384 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cacls.exe (PID: 5932 cmdline: CACLS "..\03bd543fce" /P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
          • cacls.exe (PID: 4532 cmdline: CACLS "..\03bd543fce" /P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
        • rundll32.exe (PID: 5968 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • cmd.exe (PID: 5576 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\5GPueTFF2S.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 3216 cmdline: timeout /t 6 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • gntuud.exe (PID: 5956 cmdline: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe MD5: 2239A58CC93FD94DC2806CE7F6AF0A0B)
  • cleanup

Malware Configuration

Threatname: Amadey

{"C2 url": "85.209.135.109/jg94cVd30f/index.php", "Version": "3.50"}

Threatname: Vidar

{"C2 url": ["http://135.181.10.220:80", "https://t.me/vmt001"], "Botnet": "1760", "Version": "56.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000003.483002099.0000000001165000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AmadeyYara detected Amadey botJoe Security
    00000012.00000002.518241260.00000000000A1000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
      00000001.00000002.445175041.0000000000F71000.00000020.00000001.01000000.00000006.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
        00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.5GPueTFF2S.exe.a3f900.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              0.3.5GPueTFF2S.exe.b070000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                0.3.5GPueTFF2S.exe.a3f900.1.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  0.2.5GPueTFF2S.exe.b070000.2.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                    0.3.5GPueTFF2S.exe.b070000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                      Click to see the 8 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://ripple-wells-2022.net/yzoyoebw6fqrey/nppshell.exeAvira URL Cloud: Label: malware
                      Multi AV Scanner detection for dropped file
                      Source: C:\ProgramData\75873290272674793137.exeReversingLabs: Detection: 35%
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\nppshell[1].exeReversingLabs: Detection: 35%
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeReversingLabs: Detection: 35%
                      Machine Learning detection for sample
                      Source: 5GPueTFF2S.exeJoe Sandbox ML: detected
                      Source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["http://135.181.10.220:80", "https://t.me/vmt001"], "Botnet": "1760", "Version": "56.1"}
                      Source: 18.2.gntuud.exe.a0000.0.unpackMalware Configuration Extractor: Amadey {"C2 url": "85.209.135.109/jg94cVd30f/index.php", "Version": "3.50"}

                      Compliance

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeUnpacked PE file: 0.2.5GPueTFF2S.exe.60900000.3.unpack
                      Source: 5GPueTFF2S.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 5GPueTFF2S.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: 75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, 75873290272674793137.exe.0.dr, gntuud.exe.1.dr
                      Source: Binary string: C:\Yafoca\Rij\Kehiquo soja kafex.pdb source: 5GPueTFF2S.exe
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.4 80
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 85.209.135.109 80
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 85.209.135.109/jg94cVd30f/index.php
                      Source: Malware configuration extractorURLs: http://135.181.10.220:80
                      Source: Malware configuration extractorURLs: https://t.me/vmt001
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.430008393.0000000008E30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://135.181.10.220/
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://135.181.10.220/1760
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://135.181.10.220/1760jf.
                      Source: 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://135.181.10.220/update.zip
                      Source: 5GPueTFF2S.exe, 00000000.00000003.385525417.000000000CCC0000.00000040.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.431582702.000000000B030000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://135.181.10.220:8
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.425200801.0000000002A90000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.432090196.000000000B0A5000.00000002.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000003.387953405.000000000B070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://135.181.10.220:80
                      Source: 5GPueTFF2S.exe, 00000000.00000002.422509988.00000000005AC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://135.181.10.220:80/update.zip
                      Source: 5GPueTFF2S.exe, 00000000.00000002.422509988.00000000005AC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://135.181.10.220:80/update.zipb1ef1c57276c118008692-d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963
                      Source: 5GPueTFF2S.exe, 00000000.00000002.425200801.0000000002A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://135.181.10.220:801760
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.432090196.000000000B0A5000.00000002.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000003.387953405.000000000B070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://135.181.10.220:80https://t.me/vmt001hello2092;open_open
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://135ple-wells-2022.net/yzoyoebw6fqrey/nppshell.exe
                      Source: 75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, cred64[1].dll.7.dr, 75873290272674793137.exe.0.dr, gntuud.exe.1.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: 75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, cred64[1].dll.7.dr, 75873290272674793137.exe.0.dr, gntuud.exe.1.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: 5GPueTFF2S.exe, 00000000.00000002.424393747.00000000028CA000.00000040.00000800.00020000.00000000.sdmpString found in binary or memory: http://mIkUB7ZDt5qfxou902VyKe64v30McOy.LnrmXFtSK2Pynk6VWBPG5Sf1w0AavRp1BVjmQQUkh2vmJkxEZO5UQQZNHAms9
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mikub7zdt5qfxou902vyke64v30mcoy.lnrmxftsk2pynk6vwbpg5s/
                      Source: 75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, cred64[1].dll.7.dr, 75873290272674793137.exe.0.dr, gntuud.exe.1.drString found in binary or memory: http://ocsp.sectigo.com0
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ripple-wells-2022.net/yzoyoebw6fqrey/nppshell.exe
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ripple-wells-2022.net/yzoyoebw6fqrey/nppshell.exerO
                      Source: 5GPueTFF2S.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
                      Source: 5GPueTFF2S.exeString found in binary or memory: http://s.symcd.com06
                      Source: 5GPueTFF2S.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                      Source: 5GPueTFF2S.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                      Source: 5GPueTFF2S.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                      Source: 39866407027900499026559352.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: 39866407027900499026559352.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: 5GPueTFF2S.exeString found in binary or memory: https://d.symcb.com/cps0%
                      Source: 5GPueTFF2S.exeString found in binary or memory: https://d.symcb.com/rpa0
                      Source: 5GPueTFF2S.exeString found in binary or memory: https://d.symcb.com/rpa0.
                      Source: 39866407027900499026559352.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: 39866407027900499026559352.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                      Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                      Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                      Source: 75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, cred64[1].dll.7.dr, 75873290272674793137.exe.0.dr, gntuud.exe.1.drString found in binary or memory: https://sectigo.com/CPS0
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.432090196.000000000B0A5000.00000002.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000003.387953405.000000000B070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/vmt001
                      Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: 5GPueTFF2S.exe, 00000000.00000002.422854308.00000000009CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.5GPueTFF2S.exe.a3f900.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
                      Source: 0.3.5GPueTFF2S.exe.a3f900.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
                      Source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
                      Source: 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
                      Source: Process Memory Space: 5GPueTFF2S.exe PID: 5848, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
                      PE file contains section with special chars
                      Source: 75873290272674793137.exe.0.drStatic PE information: section name: lB@dO\ih
                      Source: 75873290272674793137.exe.0.drStatic PE information: section name: Fh?jG[OJ
                      Source: 75873290272674793137.exe.0.drStatic PE information: section name: qNR5:WbS
                      Source: 75873290272674793137.exe.0.drStatic PE information: section name: z?fd8ijJ
                      Source: 75873290272674793137.exe.0.drStatic PE information: section name: CV?7x>JO
                      Source: 75873290272674793137.exe.0.drStatic PE information: section name: dT<:EHzj
                      Source: 75873290272674793137.exe.0.drStatic PE information: section name: @]topACL
                      Source: nppshell[1].exe.0.drStatic PE information: section name: lB@dO\ih
                      Source: nppshell[1].exe.0.drStatic PE information: section name: Fh?jG[OJ
                      Source: nppshell[1].exe.0.drStatic PE information: section name: qNR5:WbS
                      Source: nppshell[1].exe.0.drStatic PE information: section name: z?fd8ijJ
                      Source: nppshell[1].exe.0.drStatic PE information: section name: CV?7x>JO
                      Source: nppshell[1].exe.0.drStatic PE information: section name: dT<:EHzj
                      Source: nppshell[1].exe.0.drStatic PE information: section name: @]topACL
                      Source: gntuud.exe.1.drStatic PE information: section name: lB@dO\ih
                      Source: gntuud.exe.1.drStatic PE information: section name: Fh?jG[OJ
                      Source: gntuud.exe.1.drStatic PE information: section name: qNR5:WbS
                      Source: gntuud.exe.1.drStatic PE information: section name: z?fd8ijJ
                      Source: gntuud.exe.1.drStatic PE information: section name: CV?7x>JO
                      Source: gntuud.exe.1.drStatic PE information: section name: dT<:EHzj
                      Source: gntuud.exe.1.drStatic PE information: section name: @]topACL
                      Source: cred64[1].dll.7.drStatic PE information: section name: f5g\gWe7
                      Source: cred64[1].dll.7.drStatic PE information: section name: zDthL)*@
                      Source: cred64[1].dll.7.drStatic PE information: section name: nb"h!m#Y
                      Source: cred64[1].dll.7.drStatic PE information: section name: $^+<%+dU
                      Source: cred64[1].dll.7.drStatic PE information: section name: Z-),j99t
                      Source: cred64[1].dll.7.drStatic PE information: section name: 8"ikKHD[
                      Source: cred64[1].dll.7.drStatic PE information: section name: k&l<0?<6
                      Source: cred64[1].dll.7.drStatic PE information: section name: n[uZh3ex
                      Source: cred64[1].dll.7.drStatic PE information: section name: Uh%r6i!H
                      Source: cred64.dll.7.drStatic PE information: section name: f5g\gWe7
                      Source: cred64.dll.7.drStatic PE information: section name: zDthL)*@
                      Source: cred64.dll.7.drStatic PE information: section name: nb"h!m#Y
                      Source: cred64.dll.7.drStatic PE information: section name: $^+<%+dU
                      Source: cred64.dll.7.drStatic PE information: section name: Z-),j99t
                      Source: cred64.dll.7.drStatic PE information: section name: 8"ikKHD[
                      Source: cred64.dll.7.drStatic PE information: section name: k&l<0?<6
                      Source: cred64.dll.7.drStatic PE information: section name: n[uZh3ex
                      Source: cred64.dll.7.drStatic PE information: section name: Uh%r6i!H
                      Source: 5GPueTFF2S.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 0.2.5GPueTFF2S.exe.a3f900.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
                      Source: 0.3.5GPueTFF2S.exe.a3f900.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
                      Source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
                      Source: 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
                      Source: Process Memory Space: 5GPueTFF2S.exe PID: 5848, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00EC35E0
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00EC81D0
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00EC7BB0
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00EC6091
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00EC4269
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00EC6072
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00EC6023
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00EC603D
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00ECAF98
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00EC3F9A
                      Source: 5GPueTFF2S.exeStatic PE information: invalid certificate
                      Source: 5GPueTFF2S.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 5GPueTFF2S.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\5GPueTFF2S.exe C:\Users\user\Desktop\5GPueTFF2S.exe
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeProcess created: C:\ProgramData\75873290272674793137.exe "C:\ProgramData\75873290272674793137.exe"
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\5GPueTFF2S.exe" & exit
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
                      Source: C:\ProgramData\75873290272674793137.exeProcess created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeProcess created: C:\ProgramData\75873290272674793137.exe "C:\ProgramData\75873290272674793137.exe"
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\5GPueTFF2S.exe" & exit
                      Source: C:\ProgramData\75873290272674793137.exeProcess created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUUJump to behavior
                      Source: C:\ProgramData\75873290272674793137.exeFile created: C:\Users\user\AppData\Local\Temp\03bd543fceJump to behavior
                      Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@31/16@0/5
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                      Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                      Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                      Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                      Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                      Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                      Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: 42740063057692746811967690.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main
                      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\118b2709b7d16171ccdcf59ab82ccd18
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2160:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_01
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeMutant created: \Sessions\1\BaseNamedObjects\c33e9ad058e5d380869687d885c0668c
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5768:120:WilError_01
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCommand line argument: %GR
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: 5GPueTFF2S.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: 5GPueTFF2S.exeStatic file information: File size 1493440 > 1048576
                      Source: 5GPueTFF2S.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x13c400
                      Source: 5GPueTFF2S.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: 5GPueTFF2S.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: 5GPueTFF2S.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: 5GPueTFF2S.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 5GPueTFF2S.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: 5GPueTFF2S.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: 5GPueTFF2S.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: 5GPueTFF2S.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: 75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, 75873290272674793137.exe.0.dr, gntuud.exe.1.dr
                      Source: Binary string: C:\Yafoca\Rij\Kehiquo soja kafex.pdb source: 5GPueTFF2S.exe
                      Source: 5GPueTFF2S.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: 5GPueTFF2S.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: 5GPueTFF2S.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: 5GPueTFF2S.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: 5GPueTFF2S.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                      Data Obfuscation

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeUnpacked PE file: 0.2.5GPueTFF2S.exe.60900000.3.unpack
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00ECA499 push ecx; ret
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00EC7D69 push ebp; iretd
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00EC7D2E push ebp; iretd
                      Source: 75873290272674793137.exe.0.drStatic PE information: section name: lB@dO\ih
                      Source: 75873290272674793137.exe.0.drStatic PE information: section name: Fh?jG[OJ
                      Source: 75873290272674793137.exe.0.drStatic PE information: section name: qNR5:WbS
                      Source: 75873290272674793137.exe.0.drStatic PE information: section name: z?fd8ijJ
                      Source: 75873290272674793137.exe.0.drStatic PE information: section name: CV?7x>JO
                      Source: 75873290272674793137.exe.0.drStatic PE information: section name: EVjKc_MI
                      Source: 75873290272674793137.exe.0.drStatic PE information: section name: dT<:EHzj
                      Source: 75873290272674793137.exe.0.drStatic PE information: section name: @]topACL
                      Source: nppshell[1].exe.0.drStatic PE information: section name: lB@dO\ih
                      Source: nppshell[1].exe.0.drStatic PE information: section name: Fh?jG[OJ
                      Source: nppshell[1].exe.0.drStatic PE information: section name: qNR5:WbS
                      Source: nppshell[1].exe.0.drStatic PE information: section name: z?fd8ijJ
                      Source: nppshell[1].exe.0.drStatic PE information: section name: CV?7x>JO
                      Source: nppshell[1].exe.0.drStatic PE information: section name: EVjKc_MI
                      Source: nppshell[1].exe.0.drStatic PE information: section name: dT<:EHzj
                      Source: nppshell[1].exe.0.drStatic PE information: section name: @]topACL
                      Source: gntuud.exe.1.drStatic PE information: section name: lB@dO\ih
                      Source: gntuud.exe.1.drStatic PE information: section name: Fh?jG[OJ
                      Source: gntuud.exe.1.drStatic PE information: section name: qNR5:WbS
                      Source: gntuud.exe.1.drStatic PE information: section name: z?fd8ijJ
                      Source: gntuud.exe.1.drStatic PE information: section name: CV?7x>JO
                      Source: gntuud.exe.1.drStatic PE information: section name: EVjKc_MI
                      Source: gntuud.exe.1.drStatic PE information: section name: dT<:EHzj
                      Source: gntuud.exe.1.drStatic PE information: section name: @]topACL
                      Source: cred64[1].dll.7.drStatic PE information: section name: f5g\gWe7
                      Source: cred64[1].dll.7.drStatic PE information: section name: zDthL)*@
                      Source: cred64[1].dll.7.drStatic PE information: section name: nb"h!m#Y
                      Source: cred64[1].dll.7.drStatic PE information: section name: $^+<%+dU
                      Source: cred64[1].dll.7.drStatic PE information: section name: Z-),j99t
                      Source: cred64[1].dll.7.drStatic PE information: section name: 8"ikKHD[
                      Source: cred64[1].dll.7.drStatic PE information: section name: k&l<0?<6
                      Source: cred64[1].dll.7.drStatic PE information: section name: n[uZh3ex
                      Source: cred64[1].dll.7.drStatic PE information: section name: Uh%r6i!H
                      Source: cred64.dll.7.drStatic PE information: section name: f5g\gWe7
                      Source: cred64.dll.7.drStatic PE information: section name: zDthL)*@
                      Source: cred64.dll.7.drStatic PE information: section name: nb"h!m#Y
                      Source: cred64.dll.7.drStatic PE information: section name: $^+<%+dU
                      Source: cred64.dll.7.drStatic PE information: section name: Z-),j99t
                      Source: cred64.dll.7.drStatic PE information: section name: 8"ikKHD[
                      Source: cred64.dll.7.drStatic PE information: section name: k&l<0?<6
                      Source: cred64.dll.7.drStatic PE information: section name: n[uZh3ex
                      Source: cred64.dll.7.drStatic PE information: section name: Uh%r6i!H
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00ECBAFC LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: initial sampleStatic PE information: section where entry point is pointing to: EVjKc_MI
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.993775932964981

                      Persistence and Installation Behavior

                      barindex
                      Yara detected Amadey bot
                      Source: Yara matchFile source: 00000007.00000003.483002099.0000000001165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile created: C:\ProgramData\75873290272674793137.exeJump to dropped file
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\nppshell[1].exeJump to dropped file
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile created: C:\ProgramData\75873290272674793137.exeJump to dropped file
                      Source: C:\ProgramData\75873290272674793137.exeFile created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeFile created: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dllJump to dropped file

                      Boot Survival

                      barindex
                      Creates an undocumented autostart registry key
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Overwrites code with unconditional jumps - possibly settings hooks in foreign process
                      Source: C:\ProgramData\75873290272674793137.exeMemory written: PID: 6132 base: 640005 value: E9 FB 99 72 77
                      Source: C:\ProgramData\75873290272674793137.exeMemory written: PID: 6132 base: 77D69A00 value: E9 0A 66 8D 88
                      Source: C:\ProgramData\75873290272674793137.exeMemory written: PID: 6132 base: 7A0007 value: E9 7B 4C 60 77
                      Source: C:\ProgramData\75873290272674793137.exeMemory written: PID: 6132 base: 77DA4C80 value: E9 8E B3 9F 88
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeMemory written: PID: 5292 base: 1030005 value: E9 FB 99 D3 76
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeMemory written: PID: 5292 base: 77D69A00 value: E9 0A 66 2C 89
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeMemory written: PID: 5292 base: 1040007 value: E9 7B 4C D6 76
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeMemory written: PID: 5292 base: 77DA4C80 value: E9 8E B3 29 89
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeMemory written: PID: 5956 base: 1290005 value: E9 FB 99 AD 76
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeMemory written: PID: 5956 base: 77D69A00 value: E9 0A 66 52 89
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeMemory written: PID: 5956 base: 2C40007 value: E9 7B 4C 16 75
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeMemory written: PID: 5956 base: 77DA4C80 value: E9 8E B3 E9 8A
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: EF0005 value: E9 FB 99 E7 76
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 77D69A00 value: E9 0A 66 18 89
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: F00007 value: E9 7B 4C EA 76
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 77DA4C80 value: E9 8E B3 15 89
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 32C0005 value: E9 FB BF A7 74
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 77D3C000 value: E9 0A 40 58 8B
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 32E0008 value: E9 AB E0 A9 74
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 77D7E0B0 value: E9 60 1F 56 8B
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 58A0005 value: E9 CB 5A D3 71
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 775D5AD0 value: E9 3A A5 2C 8E
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 58B0005 value: E9 5B B0 D4 71
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 775FB060 value: E9 AA 4F 2B 8E
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 58C0005 value: E9 DB F8 26 6F
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 74B2F8E0 value: E9 2A 07 D9 90
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 58D0005 value: E9 FB 42 28 6F
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 74B54300 value: E9 0A BD D7 90
                      Overwrites code with function prologues
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 77D3C000 value: 8B FF 55 8B EC
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 775D5AD0 value: 8B FF 55 8B EC
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 775FB060 value: 8B FF 55 8B EC
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 74B2F8E0 value: 8B FF 55 8B EC
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5968 base: 74B54300 value: 8B FF 55 8B EC
                      Self deletion via cmd or bat file
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeProcess created: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\5GPueTFF2S.exe" & exit
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeProcess created: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\5GPueTFF2S.exe" & exit
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\75873290272674793137.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Tries to evade analysis by execution special instruction (VM detection)
                      Source: C:\ProgramData\75873290272674793137.exeSpecial instruction interceptor: First address: 00000000015B25FE instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeSpecial instruction interceptor: First address: 00000000006E25FE instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                      Tries to detect virtualization through RDTSC time measurements
                      Source: C:\ProgramData\75873290272674793137.exeRDTSC instruction interceptor: First address: 00000000015B25FE second address: 00000000015D33CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007F70A919E801h 0x00000008 call 00007F70A913D081h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007F70A92EFF1Ah 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeRDTSC instruction interceptor: First address: 00000000006E25FE second address: 00000000007033CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007F70A8349041h 0x00000008 call 00007F70A82E78C1h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007F70A849A75Ah 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000000559D526 second address: 000000000559D559 instructions: 0x00000000 rdtsc 0x00000002 movsx dx, bh 0x00000006 dec cl 0x00000008 or edx, ecx 0x0000000a bts edx, ecx 0x0000000d xchg dh, dh 0x0000000f not cl 0x00000011 cbw 0x00000013 neg cl 0x00000015 bsf eax, eax 0x00000018 mov eax, 78B605B0h 0x0000001d or ah, FFFFFF9Eh 0x00000020 add cl, FFFFFF94h 0x00000023 xor bl, cl 0x00000025 or dh, dl 0x00000027 push ebp 0x00000028 inc ebp 0x00000029 cdq 0x0000002a cwd 0x0000002c push esi 0x0000002d push ebx 0x0000002e xor bp, di 0x00000031 cwd 0x00000033 rdtsc
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exe TID: 5852Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\SysWOW64\timeout.exe TID: 4904Thread sleep count: 42 > 30
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5672Thread sleep time: -780000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5924Thread sleep time: -50000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 4836Thread sleep time: -2520000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5928Thread sleep time: -1440000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 4836Thread sleep time: -180000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5672Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeThread delayed: delay time: 180000
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeThread delayed: delay time: 360000
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeThread delayed: delay time: 180000
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeRegistry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeThread delayed: delay time: 50000
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeThread delayed: delay time: 180000
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeThread delayed: delay time: 360000
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeThread delayed: delay time: 180000
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeThread delayed: delay time: 30000
                      Source: C:\Windows\SysWOW64\rundll32.exeSystem information queried: ModuleInformation
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW_^
                      Source: 5GPueTFF2S.exe, 00000000.00000002.429571864.0000000008DD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW

                      Anti Debugging

                      barindex
                      Hides threads from debuggers
                      Source: C:\ProgramData\75873290272674793137.exeThread information set: HideFromDebugger
                      Source: C:\ProgramData\75873290272674793137.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeThread information set: HideFromDebugger
                      Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
                      Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00ECA6E1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00EC35E0 _memset,GetProcAddress,KiUserExceptionDispatcher,CoInitialize,GetThreadUILanguage,TlsGetValue,GetSystemDefaultLangID,IsZoomed,FoldStringW,CoUninitialize,CoUninitialize,GetProcAddress,GetProcAddress,Sleep,OutputDebugStringW,SetLastError,GetLastError,GetLastError,SetLastError,GetConsoleCP,GetLastError,HeapCreate,GetProcAddress,Sleep,RtlAllocateHeap,
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00ECBAFC LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeProcess queried: DebugPort
                      Source: C:\ProgramData\75873290272674793137.exeProcess queried: DebugPort
                      Source: C:\ProgramData\75873290272674793137.exeProcess queried: DebugObjectHandle
                      Source: C:\ProgramData\75873290272674793137.exeProcess queried: DebugObjectHandle
                      Source: C:\ProgramData\75873290272674793137.exeProcess queried: DebugObjectHandle
                      Source: C:\ProgramData\75873290272674793137.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00ECA6E1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00ECCEC4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00EC91DC SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00ECD545 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.4 80
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 85.209.135.109 80
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeProcess created: C:\ProgramData\75873290272674793137.exe "C:\ProgramData\75873290272674793137.exe"
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\5GPueTFF2S.exe" & exit
                      Source: C:\ProgramData\75873290272674793137.exeProcess created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeCode function: 0_2_00ECA63C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Amadeys stealer DLL
                      Source: Yara matchFile source: 18.2.gntuud.exe.a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.75873290272674793137.exe.f70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.518241260.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.445175041.0000000000F71000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
                      Yara detected Amadey bot
                      Source: Yara matchFile source: 00000007.00000003.483002099.0000000001165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Vidar stealer
                      Source: Yara matchFile source: 0.2.5GPueTFF2S.exe.a3f900.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.5GPueTFF2S.exe.b070000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.5GPueTFF2S.exe.a3f900.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.5GPueTFF2S.exe.b070000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.5GPueTFF2S.exe.b070000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.5GPueTFF2S.exe.a3f900.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.5GPueTFF2S.exe.a3f900.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.432090196.000000000B0A5000.00000002.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.387953405.000000000B070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 5GPueTFF2S.exe PID: 5848, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\????
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\????
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\????
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\????
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\????
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\????
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\????
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\????
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\????
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\????
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum\wallets\
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \ElectronCash\wallets\
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum\wallets\
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: exodus.conf.json
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: info.seco
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ElectrumLTC
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \jaxx\Local Storage\
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: passphrase.json
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Ethereum\
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: exodus.conf.json
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file__0.localstorage
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default_wallet
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum"
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: multidoge.wallet
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: seed.seco
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                      Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum-LTC\wallets\
                      Tries to steal Instant Messenger accounts or passwords
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\5GPueTFF2S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: Yara matchFile source: 0.2.5GPueTFF2S.exe.a3f900.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.5GPueTFF2S.exe.a3f900.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 5GPueTFF2S.exe PID: 5848, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Vidar stealer
                      Source: Yara matchFile source: 0.2.5GPueTFF2S.exe.a3f900.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.5GPueTFF2S.exe.b070000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.5GPueTFF2S.exe.a3f900.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.5GPueTFF2S.exe.b070000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.5GPueTFF2S.exe.b070000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.5GPueTFF2S.exe.a3f900.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.5GPueTFF2S.exe.a3f900.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.432090196.000000000B0A5000.00000002.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.387953405.000000000B070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 5GPueTFF2S.exe PID: 5848, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2
                      Native API                      		1
                      Scheduled Task/Job                      		111
                      Process Injection                      		2
                      Obfuscated Files or Information                      		2
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium1
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts2
                      Command and Scripting Interpreter                      		1
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		12
                      Software Packing                      		1
                      Credential API Hooking                      		2
                      File and Directory Discovery                      		Remote Desktop Protocol4
                      Data from Local System                      		Exfiltration Over Bluetooth1
                      Application Layer Protocol                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Scheduled Task/Job                      		1
                      Services File Permissions Weakness                      		1
                      Registry Run Keys / Startup Folder                      		1
                      File Deletion                      		1
                      Input Capture                      		244
                      System Information Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)1
                      Services File Permissions Weakness                      		1
                      Masquerading                      		2
                      Credentials in Registry                      		431
                      Security Software Discovery                      		Distributed Component Object Model1
                      Credential API Hooking                      		Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script131
                      Virtualization/Sandbox Evasion                      		1
                      Credentials In Files                      		11
                      Process Discovery                      		SSH1
                      Input Capture                      		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common111
                      Process Injection                      		Cached Domain Credentials131
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Services File Permissions Weakness                      		DCSync1
                      Remote System Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Rundll32                      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 764034 Sample: 5GPueTFF2S.exe Startdate: 09/12/2022 Architecture: WINDOWS Score: 100 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus detection for URL or domain 2->87 89 Multi AV Scanner detection for dropped file 2->89 91 7 other signatures 2->91 9 5GPueTFF2S.exe 22 2->9         started        14 gntuud.exe 2->14         started        process3 dnsIp4 61 135.181.10.220 HETZNER-ASDE Germany 9->61 63 88.119.169.157 IST-ASLT Lithuania 9->63 65 8.8.8.8 GOOGLEUS United States 9->65 55 C:\Users\user\AppData\...\nppshell[1].exe, PE32 9->55 dropped 57 C:\ProgramData\75873290272674793137.exe, PE32 9->57 dropped 101 Detected unpacking (creates a PE file in dynamic memory) 9->101 103 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 9->103 105 Self deletion via cmd or bat file 9->105 111 2 other signatures 9->111 16 75873290272674793137.exe 3 9->16         started        20 cmd.exe 1 9->20         started        107 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->107 109 Hides threads from debuggers 14->109 file5 signatures6 process7 file8 49 C:\Users\user\AppData\Local\...\gntuud.exe, PE32 16->49 dropped 77 Multi AV Scanner detection for dropped file 16->77 79 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->79 81 Tries to evade analysis by execution special instruction (VM detection) 16->81 83 2 other signatures 16->83 22 gntuud.exe 17 16->22         started        27 conhost.exe 20->27         started        29 timeout.exe 1 20->29         started        signatures9 process10 dnsIp11 59 85.209.135.109 CMCSUS Germany 22->59 51 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 22->51 dropped 53 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32 22->53 dropped 93 Multi AV Scanner detection for dropped file 22->93 95 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->95 97 Creates an undocumented autostart registry key 22->97 99 4 other signatures 22->99 31 rundll32.exe 22->31         started        35 cmd.exe 1 22->35         started        37 schtasks.exe 1 22->37         started        file12 signatures13 process14 dnsIp15 67 192.168.2.4 unknown unknown 31->67 69 System process connects to network (likely due to code injection or exploit) 31->69 71 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->71 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->73 75 6 other signatures 31->75 39 conhost.exe 35->39         started        41 cmd.exe 1 35->41         started        43 cacls.exe 1 35->43         started        47 4 other processes 35->47 45 conhost.exe 37->45         started        signatures16 process17

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      5GPueTFF2S.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\ProgramData\75873290272674793137.exe35%ReversingLabsWin32.Trojan.Amadey
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll12%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\nppshell[1].exe35%ReversingLabsWin32.Trojan.Amadey
                      C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe35%ReversingLabsWin32.Trojan.Amadey
                      C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll12%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.3.5GPueTFF2S.exe.b070000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.3.5GPueTFF2S.exe.a3f900.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.2.5GPueTFF2S.exe.a3f900.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      http://135.181.10.220/update.zip0%Avira URL Cloudsafe
                      http://135.181.10.220:8017600%Avira URL Cloudsafe
                      http://135ple-wells-2022.net/yzoyoebw6fqrey/nppshell.exe0%Avira URL Cloudsafe
                      85.209.135.109/jg94cVd30f/index.php0%Avira URL Cloudsafe
                      http://135.181.10.220/17600%Avira URL Cloudsafe
                      http://ripple-wells-2022.net/yzoyoebw6fqrey/nppshell.exe100%Avira URL Cloudmalware
                      http://135.181.10.220:80/update.zip0%Avira URL Cloudsafe
                      http://mikub7zdt5qfxou902vyke64v30mcoy.lnrmxftsk2pynk6vwbpg5s/0%Avira URL Cloudsafe
                      http://135.181.10.220:80%Avira URL Cloudsafe
                      http://135.181.10.220:80https://t.me/vmt001hello2092;open_open0%Avira URL Cloudsafe
                      http://ripple-wells-2022.net/yzoyoebw6fqrey/nppshell.exerO0%Avira URL Cloudsafe
                      http://135.181.10.220:80/update.zipb1ef1c57276c118008692-d06ed635-68f6-4e9a-955c-90ce-806e6f6e69630%Avira URL Cloudsafe
                      http://135.181.10.220:800%Avira URL Cloudsafe
                      http://mIkUB7ZDt5qfxou902VyKe64v30McOy.LnrmXFtSK2Pynk6VWBPG5Sf1w0AavRp1BVjmQQUkh2vmJkxEZO5UQQZNHAms90%Avira URL Cloudsafe
                      http://135.181.10.220/0%Avira URL Cloudsafe
                      http://135.181.10.220/1760jf.0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      85.209.135.109/jg94cVd30f/index.phptrue
                      • Avira URL Cloud: safe
                      		low
                      https://t.me/vmt001false
                        		high
                        http://135.181.10.220:80true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://135.181.10.220/17605GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://mikub7zdt5qfxou902vyke64v30mcoy.lnrmxftsk2pynk6vwbpg5s/5GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/chrome_newtab5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.drfalse
                          		high
                          http://135ple-wells-2022.net/yzoyoebw6fqrey/nppshell.exe5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/ac/?q=39866407027900499026559352.0.drfalse
                            		high
                            https://sectigo.com/CPS075873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, cred64[1].dll.7.dr, 75873290272674793137.exe.0.dr, gntuud.exe.1.drfalse
                            • URL Reputation: safe
                            		unknown
                            http://135.181.10.220:80/update.zip5GPueTFF2S.exe, 00000000.00000002.422509988.00000000005AC000.00000004.00000010.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.google.com/images/branding/product/ico/googleg_lodp.ico5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.drfalse
                              		high
                              http://ocsp.sectigo.com075873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, cred64[1].dll.7.dr, 75873290272674793137.exe.0.dr, gntuud.exe.1.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://135.181.10.220:8017605GPueTFF2S.exe, 00000000.00000002.425200801.0000000002A90000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://ripple-wells-2022.net/yzoyoebw6fqrey/nppshell.exe5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://search.yahoo.com?fr=crmas_sfpf5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.drfalse
                                		high
                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=39866407027900499026559352.0.drfalse
                                  		high
                                  https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.drfalse
                                    		high
                                    https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.drfalse
                                      		high
                                      http://135.181.10.220:80https://t.me/vmt001hello2092;open_open5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.432090196.000000000B0A5000.00000002.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000003.387953405.000000000B070000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      https://ac.ecosia.org/autocomplete?q=39866407027900499026559352.0.drfalse
                                        		high
                                        https://search.yahoo.com?fr=crmas_sfp5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.drfalse
                                          		high
                                          http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, cred64[1].dll.7.dr, 75873290272674793137.exe.0.dr, gntuud.exe.1.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://135.181.10.220/update.zip5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, cred64[1].dll.7.dr, 75873290272674793137.exe.0.dr, gntuud.exe.1.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://135.181.10.220:85GPueTFF2S.exe, 00000000.00000003.385525417.000000000CCC0000.00000040.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.431582702.000000000B030000.00000004.00000800.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://135.181.10.220:80/update.zipb1ef1c57276c118008692-d06ed635-68f6-4e9a-955c-90ce-806e6f6e69635GPueTFF2S.exe, 00000000.00000002.422509988.00000000005AC000.00000004.00000010.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://mIkUB7ZDt5qfxou902VyKe64v30McOy.LnrmXFtSK2Pynk6VWBPG5Sf1w0AavRp1BVjmQQUkh2vmJkxEZO5UQQZNHAms95GPueTFF2S.exe, 00000000.00000002.424393747.00000000028CA000.00000040.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=39866407027900499026559352.0.drfalse
                                            		high
                                            http://ripple-wells-2022.net/yzoyoebw6fqrey/nppshell.exerO5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://135.181.10.220/1760jf.5GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://135.181.10.220/5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.430008393.0000000008E30000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            8.8.8.8
                                            		unknownUnited States
                                            		15169GOOGLEUSfalse
                                            135.181.10.220
                                            		unknownGermany
                                            		24940HETZNER-ASDEtrue
                                            88.119.169.157
                                            		unknownLithuania
                                            		61272IST-ASLTfalse
                                            85.209.135.109
                                            		unknownGermany
                                            		33657CMCSUStrue

                                            Private

                                            IP
                                            192.168.2.4

                                            General Information

                                            Joe Sandbox Version:36.0.0 Rainbow Opal
                                            Analysis ID:764034
                                            Start date and time:2022-12-09 10:38:07 +01:00
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 10m 25s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:5GPueTFF2S.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:23
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.phis.troj.spyw.evad.winEXE@31/16@0/5
                                            EGA Information:
                                            • Successful, ratio: 50%
                                            HDC Information:
                                            • Successful, ratio: 49.3% (good quality ratio 47.2%)
                                            • Quality average: 82.3%
                                            • Quality standard deviation: 22.5%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Override analysis time to 240s for rundll32

                                            Warnings

                                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                            • Report size getting too big, too many NtOpenFile calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                            • VT rate limit hit for: 5GPueTFF2S.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            10:40:18API Interceptor1804x Sleep call for process: gntuud.exe modified
                                            10:40:20Task SchedulerRun new task: gntuud.exe path: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASNs

                                            No context

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\39866407027900499026559352

                                            Download File
                                            Process:C:\Users\user\Desktop\5GPueTFF2S.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                            Category:dropped
                                            Size (bytes):94208
                                            Entropy (8bit):1.2880737026424216
                                            Encrypted:false
                                            SSDEEP:192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
                                            MD5:5F02C426BCF0D3E3DC81F002F9125663
                                            SHA1:EA50920666E30250E4BE05194FA7B3F44967BE94
                                            SHA-256:DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
                                            SHA-512:53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
                                            Malicious:false
                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\42740063057692746811967690

                                            Download File
                                            Process:C:\Users\user\Desktop\5GPueTFF2S.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                            Category:dropped
                                            Size (bytes):49152
                                            Entropy (8bit):0.7876734657715041
                                            Encrypted:false
                                            SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                            MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                            SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                            SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                            SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                            Malicious:false
                                            Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\45707745472676257340529648

                                            Download File
                                            Process:C:\Users\user\Desktop\5GPueTFF2S.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 4, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 4
                                            Category:dropped
                                            Size (bytes):147456
                                            Entropy (8bit):0.47889536469736377
                                            Encrypted:false
                                            SSDEEP:96:MHVdU+bb3HDsX0ctSOaDN6tOVjN9DLjGQLBE3u:YVK+H3HDi9GN6IVj3XBBE3u
                                            MD5:D6648BE90F0B2A39C26D60D499E5EB03
                                            SHA1:69D2F56BBA9264621C0779F5D74B356C3794AFF0
                                            SHA-256:E26A78FA6C8A1C60B67536CCB9A620F69FF4588F50F7F3956E14E438C6E5F9D6
                                            SHA-512:BEF8A8D7391D16444B6347C1F2E07037EE1DF67652910551133919EF59F44C94636971BF602D93087D628A6E38DDF0929CF4C824994B35E6C2376B0B55AD4974
                                            Malicious:false
                                            Preview:SQLite format 3......@ .......$...........)......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\66974910856148417682877849

                                            Download File
                                            Process:C:\Users\user\Desktop\5GPueTFF2S.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
                                            Category:dropped
                                            Size (bytes):28672
                                            Entropy (8bit):0.43613063485556663
                                            Encrypted:false
                                            SSDEEP:12:TLqlUIFnGP6Gkwtwhg4FdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0u9z3:TLqlj1czkwubXYFpFNYcw+6UwcYzHr
                                            MD5:46076967A4692D6323BCBDAD8532DA6A
                                            SHA1:A2C61F0EAECF8C2D126FCF82828808B78291E582
                                            SHA-256:BFA77719DCA9C4C92B38BD8A23C9DD751B82DB0F21620E6937C4F97AECC5536B
                                            SHA-512:B4C03F075B2E4DC527AD25B5D5788BE55D4CBCCA66002884CC75528FC57AF54C494B2219C726999E9A29C5AB05C789DB1412F4A01A8AC61726E2F7B785E77691
                                            Malicious:false
                                            Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\70342673400662660148807453

                                            Download File
                                            Process:C:\Users\user\Desktop\5GPueTFF2S.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 4, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 4
                                            Category:dropped
                                            Size (bytes):147456
                                            Entropy (8bit):0.47889536469736377
                                            Encrypted:false
                                            SSDEEP:96:MHVdU+bb3HDsX0ctSOaDN6tOVjN9DLjGQLBE3u:YVK+H3HDi9GN6IVj3XBBE3u
                                            MD5:D6648BE90F0B2A39C26D60D499E5EB03
                                            SHA1:69D2F56BBA9264621C0779F5D74B356C3794AFF0
                                            SHA-256:E26A78FA6C8A1C60B67536CCB9A620F69FF4588F50F7F3956E14E438C6E5F9D6
                                            SHA-512:BEF8A8D7391D16444B6347C1F2E07037EE1DF67652910551133919EF59F44C94636971BF602D93087D628A6E38DDF0929CF4C824994B35E6C2376B0B55AD4974
                                            Malicious:false
                                            Preview:SQLite format 3......@ .......$...........)......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\73647430720841230611985631

                                            Download File
                                            Process:C:\Users\user\Desktop\5GPueTFF2S.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                            Category:dropped
                                            Size (bytes):94208
                                            Entropy (8bit):1.2880737026424216
                                            Encrypted:false
                                            SSDEEP:192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
                                            MD5:5F02C426BCF0D3E3DC81F002F9125663
                                            SHA1:EA50920666E30250E4BE05194FA7B3F44967BE94
                                            SHA-256:DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
                                            SHA-512:53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
                                            Malicious:false
                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\75873290272674793137.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\5GPueTFF2S.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):7732440
                                            Entropy (8bit):7.8779499305543865
                                            Encrypted:false
                                            SSDEEP:196608:U+rNR2F7EU+iE09OKsRk3PdM+i+8lHFL9AYS:/RWEU+1OP6+X+oYS
                                            MD5:2239A58CC93FD94DC2806CE7F6AF0A0B
                                            SHA1:F09EB7D69BC7440D3D45E14267236A78AC789FCB
                                            SHA-256:682ABD62B6E3C0E8CA57F079CD96F2D3848752EAF7002BDF57BFB512BD242811
                                            SHA-512:F77C16626A0E17FF79B95F9FDED6A365F913896C89BAF76D16BCC8706F3AD10A9476C7CBD3F235250B936171C6E958E145C402952506DC0E434A4F911C99FE02
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 35%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........XH..6...6...6...5...6...3.a.6...2...6.(.2...6.(.5...6.(.3...6...7...6...7.\.6.f.?...6.f.....6.f.4...6.Rich..6.........PE..L....6.c.....................r.......FU...........@................................~.v...@...................................p......`..`c............u......P......0E..p........................... A..@.............A.h...........................lB@dO\ih............................ ..`Fh?jG[OJL...........................@..@qNR5:WbSLD..........................@...z?fd8ijJh.=......................... ..`CV?7x>JO......A.....................@...EVjKc_MI.wo...A..xo................. ..`dT<:EHzj.....P........o.............@..@@]topACL`c...`...\....o.............@..@........................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):7705824
                                            Entropy (8bit):7.9708080300718365
                                            Encrypted:false
                                            SSDEEP:196608:ZQoqS56OZEssxxpKIIue41Cf7sgZz6kmAZQ/9RWB0:dMOevKiB1CfQgplmz/9a0
                                            MD5:2B62E02B3581980EE5A1DDA42FA4F3FE
                                            SHA1:5C36BFA4A4973E8F694D5C077E7312B1C991AEDF
                                            SHA-256:8C46C2AF1CB25BFA8FBBF9D683D72D30DDB2E5D0ECC6BBA997B24714CF2B8C91
                                            SHA-512:255E1B1D51D52872C5E0C54F7807ADC3581D36B3DFB8220C818AC38AC7FCEA91DD42999EE6CCAEF3B9836CD59FCFE19C2669A5B697D627DE4C1D9B8BA563EB3D
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 12%
                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L....^B*.....................X....................@.................................*.u.............................,..O...X>..@....................~u...............................................................F.............................f5g\gWe7............................ ..`zDthL)*@............................@...nb"h!m#Y................................$^+<%+dU&...........................@...Z-),j99tO...........................@..P8"ikKHD[b.C......................... ..`k&l<0?<6......F.....................@...n[uZh3ex.lu...F..nu................. ..`Uh%r6i!H.............xu.............@..P.............................................................@......................@..P................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\nppshell[1].exe

                                            Download File
                                            Process:C:\Users\user\Desktop\5GPueTFF2S.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):7732440
                                            Entropy (8bit):7.8779499305543865
                                            Encrypted:false
                                            SSDEEP:196608:U+rNR2F7EU+iE09OKsRk3PdM+i+8lHFL9AYS:/RWEU+1OP6+X+oYS
                                            MD5:2239A58CC93FD94DC2806CE7F6AF0A0B
                                            SHA1:F09EB7D69BC7440D3D45E14267236A78AC789FCB
                                            SHA-256:682ABD62B6E3C0E8CA57F079CD96F2D3848752EAF7002BDF57BFB512BD242811
                                            SHA-512:F77C16626A0E17FF79B95F9FDED6A365F913896C89BAF76D16BCC8706F3AD10A9476C7CBD3F235250B936171C6E958E145C402952506DC0E434A4F911C99FE02
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 35%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........XH..6...6...6...5...6...3.a.6...2...6.(.2...6.(.5...6.(.3...6...7...6...7.\.6.f.?...6.f.....6.f.4...6.Rich..6.........PE..L....6.c.....................r.......FU...........@................................~.v...@...................................p......`..`c............u......P......0E..p........................... A..@.............A.h...........................lB@dO\ih............................ ..`Fh?jG[OJL...........................@..@qNR5:WbSLD..........................@...z?fd8ijJh.=......................... ..`CV?7x>JO......A.....................@...EVjKc_MI.wo...A..xo................. ..`dT<:EHzj.....P........o.............@..@@]topACL`c...`...\....o.............@..@........................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

                                            Download File
                                            Process:C:\ProgramData\75873290272674793137.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):7732440
                                            Entropy (8bit):7.8779499305543865
                                            Encrypted:false
                                            SSDEEP:196608:U+rNR2F7EU+iE09OKsRk3PdM+i+8lHFL9AYS:/RWEU+1OP6+X+oYS
                                            MD5:2239A58CC93FD94DC2806CE7F6AF0A0B
                                            SHA1:F09EB7D69BC7440D3D45E14267236A78AC789FCB
                                            SHA-256:682ABD62B6E3C0E8CA57F079CD96F2D3848752EAF7002BDF57BFB512BD242811
                                            SHA-512:F77C16626A0E17FF79B95F9FDED6A365F913896C89BAF76D16BCC8706F3AD10A9476C7CBD3F235250B936171C6E958E145C402952506DC0E434A4F911C99FE02
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 35%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........XH..6...6...6...5...6...3.a.6...2...6.(.2...6.(.5...6.(.3...6...7...6...7.\.6.f.?...6.f.....6.f.4...6.Rich..6.........PE..L....6.c.....................r.......FU...........@................................~.v...@...................................p......`..`c............u......P......0E..p........................... A..@.............A.h...........................lB@dO\ih............................ ..`Fh?jG[OJL...........................@..@qNR5:WbSLD..........................@...z?fd8ijJh.=......................... ..`CV?7x>JO......A.....................@...EVjKc_MI.wo...A..xo................. ..`dT<:EHzj.....P........o.............@..@@]topACL`c...`...\....o.............@..@........................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\853321935212

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                            Category:dropped
                                            Size (bytes):96208
                                            Entropy (8bit):7.920718791075791
                                            Encrypted:false
                                            SSDEEP:1536:C66YpZSvaEuegY9ArFi7deYA070yjPTv6SUv9bMzXQoHID3WlgDnqc1uhDO6KgrO:YYnSvbtgsArFi3Y+yVFWAoHQWlep1u1S
                                            MD5:864C73BCC733D275D7A8B0AC455F09CF
                                            SHA1:D885D54A9AEED3B4D4F097218747629E59A83582
                                            SHA-256:D376E89252A2E21635744857EA02E60105545A58D6E75CEFF0F7D3FC4B07A2BF
                                            SHA-512:A6BF03A348371A7E38B24F51777195EDC995B3FC09A44D874942A85C123B9BEA041176C80BC5CF72088AB9C5D1D854607C82A2C9F12E78083703B5CC47E5657A
                                            Malicious:false
                                            Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.A.:.....X.l..1lN23....._....m.....'.........S.. ..W....'.c....1....5.5.}j.Ly..k;.\...q.U..Q...bgJpW.(QKI]&b.QE.&(....Q..R...`2.`....j.$.....+..];$....F...K.1...3.)k...@<1..@.../...G. .....g.G.....~.W.W.......

                                            C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):7705824
                                            Entropy (8bit):7.9708080300718365
                                            Encrypted:false
                                            SSDEEP:196608:ZQoqS56OZEssxxpKIIue41Cf7sgZz6kmAZQ/9RWB0:dMOevKiB1CfQgplmz/9a0
                                            MD5:2B62E02B3581980EE5A1DDA42FA4F3FE
                                            SHA1:5C36BFA4A4973E8F694D5C077E7312B1C991AEDF
                                            SHA-256:8C46C2AF1CB25BFA8FBBF9D683D72D30DDB2E5D0ECC6BBA997B24714CF2B8C91
                                            SHA-512:255E1B1D51D52872C5E0C54F7807ADC3581D36B3DFB8220C818AC38AC7FCEA91DD42999EE6CCAEF3B9836CD59FCFE19C2669A5B697D627DE4C1D9B8BA563EB3D
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 12%
                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L....^B*.....................X....................@.................................*.u.............................,..O...X>..@....................~u...............................................................F.............................f5g\gWe7............................ ..`zDthL)*@............................@...nb"h!m#Y................................$^+<%+dU&...........................@...Z-),j99tO...........................@..P8"ikKHD[b.C......................... ..`k&l<0?<6......F.....................@...n[uZh3ex.lu...F..nu................. ..`Uh%r6i!H.............xu.............@..P.............................................................@......................@..P................................................................................................................................................................................

                                            \Device\ConDrv

                                            Download File
                                            Process:C:\Windows\SysWOW64\cacls.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):15
                                            Entropy (8bit):3.240223928941852
                                            Encrypted:false
                                            SSDEEP:3:o3F:o1
                                            MD5:509B054634B6DE74F111C3E646BC80FD
                                            SHA1:99B4C0F39144A92FE42E22473A2A2552FB16BD13
                                            SHA-256:07C7C151ADD6D955F3C876359C0E2A3A3FB0C519DD1E574413F0B68B345D8C36
                                            SHA-512:A9C2D23947DBE09D5ECFBF6B3109F3CF8409E43176AE10C18083446EDE006E60E41C3EA2D2765036A967FC81B085D5F271686606AED4154AE45287D412CF6D40
                                            Malicious:false
                                            Preview:processed dir:

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):7.937705906500799
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:5GPueTFF2S.exe
                                            File size:1493440
                                            MD5:7d124bc23be85d73b1177143f41b5e72
                                            SHA1:09633b90a0b993fd4dec6d522a1243433fc3ab10
                                            SHA256:04805512d670fb5f37bdf17bf00aae6976650f82c0b4bd342f3506d204f7aea2
                                            SHA512:f4d318361bcccd7a3a77cdb243fa27e46abb6831cc315a4d8c4df9c37f30d11d2a0cd8a0ab9c8567f2c584dbcca1a9c336677216b8e31495c20061b287c29ebe
                                            SSDEEP:24576:jEiV++MCUfiiF5CYElcxGvvJq89F85NURwfCULmNQpBAXFVw/5xbpY0Y8vNcup:jEiV++MCxiF0tJ25NK2mapBA1uxYSlcG
                                            TLSH:BA65236E93951032DAC617342CF7CF9BB739EF2516A897472A869D2A7C31BD0D930306
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#c..g...g...g...yPb.~...yPs.v...yPe.+...@...`...g...9...yPl.e...yPr.f...g.q.b...yPw.f...Richg...........PE..L....#.c...........

                                            File Icon

                                            Icon Hash:c8d4f2e8e8b2e4d8

                                            Static PE Info

                                            General

                                            Entrypoint:0x40901d
                                            Entrypoint Section:.text
                                            Digitally signed:true
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x63922306 [Thu Dec 8 17:46:46 2022 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:5
                                            OS Version Minor:0
                                            File Version Major:5
                                            File Version Minor:0
                                            Subsystem Version Major:5
                                            Subsystem Version Minor:0
                                            Import Hash:bb2af1988009d4b4491115f62e2f94ab

                                            Authenticode Signature

                                            Signature Valid:false
                                            Signature Issuer:CN=Amazon, OU=Server CA 1B, O=Amazon, C=US
                                            Signature Validation Error:A certificate chain could not be built to a trusted root authority
                                            Error Number:-2146762486
                                            Not Before, Not After
                                            • 10/25/2022 2:00:00 AM 11/23/2023 12:59:59 AM
                                            Subject Chain
                                            • CN=vcoins.com
                                            Version:3
                                            Thumbprint MD5:7353B8C793C943D5CF2DE1715C892554
                                            Thumbprint SHA-1:D2516DC5680485D69BC68CCCCA5E2D61A43D345F
                                            Thumbprint SHA-256:C831B8A2466C3A56F5AA15E9C540B5A2B3359C94386EE03D349C975F08DE1C03
                                            Serial:050A012C9D98C6D640D2D7F67E016985

                                            Entrypoint Preview

                                            Instruction
                                            call 00007F70A8E0920Fh
                                            jmp 00007F70A8E07A6Eh
                                            mov edi, edi
                                            push ebp
                                            mov ebp, esp
                                            mov eax, dword ptr [ebp+08h]
                                            xor ecx, ecx
                                            cmp eax, dword ptr [00540008h+ecx*8]
                                            je 00007F70A8E07C05h
                                            inc ecx
                                            cmp ecx, 2Dh
                                            jc 00007F70A8E07BE3h
                                            lea ecx, dword ptr [eax-13h]
                                            cmp ecx, 11h
                                            jnbe 00007F70A8E07C00h
                                            push 0000000Dh
                                            pop eax
                                            pop ebp
                                            ret
                                            mov eax, dword ptr [0054000Ch+ecx*8]
                                            pop ebp
                                            ret
                                            add eax, FFFFFF44h
                                            push 0000000Eh
                                            pop ecx
                                            cmp ecx, eax
                                            sbb eax, eax
                                            and eax, ecx
                                            add eax, 08h
                                            pop ebp
                                            ret
                                            call 00007F70A8E08C5Ch
                                            test eax, eax
                                            jne 00007F70A8E07BF8h
                                            mov eax, 00540170h
                                            ret
                                            add eax, 08h
                                            ret
                                            push 0000000Ch
                                            push 0053F408h
                                            call 00007F70A8E08FC1h
                                            mov ecx, dword ptr [ebp+08h]
                                            xor edi, edi
                                            cmp ecx, edi
                                            jbe 00007F70A8E07C20h
                                            push FFFFFFE0h
                                            pop eax
                                            xor edx, edx
                                            div ecx
                                            cmp eax, dword ptr [ebp+0Ch]
                                            sbb eax, eax
                                            inc eax
                                            jne 00007F70A8E07C11h
                                            call 00007F70A8E07BB9h
                                            mov dword ptr [eax], 0000000Ch
                                            push edi
                                            push edi
                                            push edi
                                            push edi
                                            push edi
                                            call 00007F70A8E09349h
                                            add esp, 14h
                                            xor eax, eax
                                            jmp 00007F70A8E07CCAh
                                            imul ecx, dword ptr [ebp+0Ch]
                                            mov esi, ecx
                                            mov dword ptr [ebp+08h], esi
                                            cmp esi, edi
                                            jne 00007F70A8E07BF5h
                                            xor esi, esi
                                            inc esi
                                            xor ebx, ebx
                                            mov dword ptr [ebp-1Ch], ebx
                                            cmp esi, FFFFFFE0h
                                            jnbe 00007F70A8E07C5Bh
                                            cmp dword ptr [00755448h], 03h
                                            jne 00007F70A8E07C3Dh
                                            add esi, 0Fh

                                            Rich Headers

                                            Programming Language:
                                            • [C++] VS2008 build 21022
                                            • [ASM] VS2008 build 21022
                                            • [ C ] VS2008 build 21022
                                            • [IMP] VS2005 build 50727
                                            • [RES] VS2008 build 21022
                                            • [LNK] VS2008 build 21022

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x13f6740x50.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3560000x28330.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x16b6000x13c0.data
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x37f0000x14d4.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x13e1700x1c.rdata
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x13f3380x40.rdata
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x13e0000x134.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x13c3310x13c400False0.9838724370059289data7.993775932964981IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0x13e0000x1d660x1e00False0.36627604166666666data5.590565779983959IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0x1400000x21557c0xe00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x3560000x283300x28400False0.8145805027173914data7.416644005362062IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x37f0000x3cc80x3e00False0.28616431451612906data3.1400595377335185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_ICON0x3565080x1b278PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedPolishPoland
                                            RT_ICON0x3717800x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384PolishPoland
                                            RT_ICON0x3759a80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216PolishPoland
                                            RT_ICON0x377f500xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304PolishPoland
                                            RT_ICON0x378df80x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152PolishPoland
                                            RT_ICON0x3794600x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096PolishPoland
                                            RT_ICON0x37a5080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024PolishPoland
                                            RT_ICON0x37adb00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512PolishPoland
                                            RT_ICON0x37b0980x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304PolishPoland
                                            RT_ICON0x37ba200x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576PolishPoland
                                            RT_ICON0x37c0e80x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288PolishPoland
                                            RT_ICON0x37c2d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024PolishPoland
                                            RT_ICON0x37c7380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256PolishPoland
                                            RT_ICON0x37cca00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128PolishPoland
                                            RT_DIALOG0x37cdc80x108dataPolishPoland
                                            RT_DIALOG0x37ced00x15cdataPolishPoland
                                            RT_DIALOG0x37d02c0x13cdataPolishPoland
                                            RT_DIALOG0x37d1680x19cdataPolishPoland
                                            RT_STRING0x37d3040x14cdataPolishPoland
                                            RT_STRING0x37d4500x5acdataPolishPoland
                                            RT_STRING0x37d9fc0x540dataPolishPoland
                                            RT_STRING0x37df3c0x1ccdataPolishPoland
                                            RT_GROUP_ICON0x37e1080xcaTarga image data - Map 32 x 45688 x 1 +1PolishPoland
                                            RT_MANIFEST0x37e1d40x15aASCII text, with CRLF line terminatorsEnglishUnited States

                                            Imports

                                            DLLImport
                                            KERNEL32.dllGetSystemDefaultLangID, lstrlenA, TlsGetValue, HeapAlloc, InterlockedIncrement, OutputDebugStringW, IsBadReadPtr, GetConsoleCP, Sleep, HeapCreate, GetACP, GetLastError, GetCurrentDirectoryW, SetLastError, GetProcAddress, FoldStringW, GetCurrentProcessId, GetThreadUILanguage, LCMapStringW, LCMapStringA, GetStringTypeW, MultiByteToWideChar, GetStringTypeA, GetStartupInfoW, SetUnhandledExceptionFilter, GetModuleHandleW, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, InterlockedDecrement, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, LoadLibraryA, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetOEMCP, IsValidCodePage, RtlUnwind, HeapSize, GetLocaleInfoA, WideCharToMultiByte
                                            USER32.dllGetMessagePos, MessageBoxW, IsIconic, GetMessageExtraInfo, IsZoomed, GetWindowTextLengthA, GetForegroundWindow
                                            ole32.dllCoInitialize, CoUninitialize

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            PolishPoland
                                            EnglishUnited States

                                            Network Behavior

                                            No network behavior found

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:10:39:00
                                            Start date:09/12/2022
                                            Path:C:\Users\user\Desktop\5GPueTFF2S.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\5GPueTFF2S.exe
                                            Imagebase:0xec0000
                                            File size:1493440 bytes
                                            MD5 hash:7D124BC23BE85D73B1177143F41B5E72
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.432090196.000000000B0A5000.00000002.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000003.387953405.000000000B070000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low

                                            General

                                            Target ID:1
                                            Start time:10:39:50
                                            Start date:09/12/2022
                                            Path:C:\ProgramData\75873290272674793137.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\ProgramData\75873290272674793137.exe"
                                            Imagebase:0xf70000
                                            File size:7732440 bytes
                                            MD5 hash:2239A58CC93FD94DC2806CE7F6AF0A0B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.445175041.0000000000F71000.00000020.00000001.01000000.00000006.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 35%, ReversingLabs
                                            Reputation:low

                                            General

                                            Target ID:4
                                            Start time:10:39:56
                                            Start date:09/12/2022
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\5GPueTFF2S.exe" & exit
                                            Imagebase:0xd90000
                                            File size:232960 bytes
                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Target ID:5
                                            Start time:10:39:56
                                            Start date:09/12/2022
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7c72c0000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Target ID:6
                                            Start time:10:39:56
                                            Start date:09/12/2022
                                            Path:C:\Windows\SysWOW64\timeout.exe
                                            Wow64 process (32bit):true
                                            Commandline:timeout /t 6
                                            Imagebase:0x1140000
                                            File size:26112 bytes
                                            MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Target ID:7
                                            Start time:10:40:04
                                            Start date:09/12/2022
                                            Path:C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"
                                            Imagebase:0xa0000
                                            File size:7732440 bytes
                                            MD5 hash:2239A58CC93FD94DC2806CE7F6AF0A0B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Amadey, Description: Yara detected Amadey bot, Source: 00000007.00000003.483002099.0000000001165000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 35%, ReversingLabs
                                            Reputation:low

                                            General

                                            Target ID:8
                                            Start time:10:40:17
                                            Start date:09/12/2022
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F
                                            Imagebase:0x11e0000
                                            File size:185856 bytes
                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Target ID:9
                                            Start time:10:40:17
                                            Start date:09/12/2022
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7c72c0000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Target ID:10
                                            Start time:10:40:17
                                            Start date:09/12/2022
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit
                                            Imagebase:0xd90000
                                            File size:232960 bytes
                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Target ID:11
                                            Start time:10:40:17
                                            Start date:09/12/2022
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff61e220000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Target ID:12
                                            Start time:10:40:18
                                            Start date:09/12/2022
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                            Imagebase:0xd90000
                                            File size:232960 bytes
                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Target ID:13
                                            Start time:10:40:18
                                            Start date:09/12/2022
                                            Path:C:\Windows\SysWOW64\cacls.exe
                                            Wow64 process (32bit):true
                                            Commandline:CACLS "gntuud.exe" /P "user:N"
                                            Imagebase:0x1200000
                                            File size:27648 bytes
                                            MD5 hash:4CBB1C027DF71C53A8EE4C855FD35B25
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            General

                                            Target ID:14
                                            Start time:10:40:18
                                            Start date:09/12/2022
                                            Path:C:\Windows\SysWOW64\cacls.exe
                                            Wow64 process (32bit):true
                                            Commandline:CACLS "gntuud.exe" /P "user:R" /E
                                            Imagebase:0x1200000
                                            File size:27648 bytes
                                            MD5 hash:4CBB1C027DF71C53A8EE4C855FD35B25
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            General

                                            Target ID:15
                                            Start time:10:40:19
                                            Start date:09/12/2022
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                            Imagebase:0xd90000
                                            File size:232960 bytes
                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            General

                                            Target ID:16
                                            Start time:10:40:19
                                            Start date:09/12/2022
                                            Path:C:\Windows\SysWOW64\cacls.exe
                                            Wow64 process (32bit):true
                                            Commandline:CACLS "..\03bd543fce" /P "user:N"
                                            Imagebase:0x1200000
                                            File size:27648 bytes
                                            MD5 hash:4CBB1C027DF71C53A8EE4C855FD35B25
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            General

                                            Target ID:17
                                            Start time:10:40:19
                                            Start date:09/12/2022
                                            Path:C:\Windows\SysWOW64\cacls.exe
                                            Wow64 process (32bit):true
                                            Commandline:CACLS "..\03bd543fce" /P "user:R" /E
                                            Imagebase:0x1200000
                                            File size:27648 bytes
                                            MD5 hash:4CBB1C027DF71C53A8EE4C855FD35B25
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            General

                                            Target ID:18
                                            Start time:10:40:20
                                            Start date:09/12/2022
                                            Path:C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
                                            Imagebase:0xa0000
                                            File size:7732440 bytes
                                            MD5 hash:2239A58CC93FD94DC2806CE7F6AF0A0B
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000012.00000002.518241260.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security

                                            General

                                            Target ID:19
                                            Start time:10:40:22
                                            Start date:09/12/2022
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main
                                            Imagebase:0xf10000
                                            File size:61952 bytes
                                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi

                                            Disassembly

                                            No disassembly