Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:780217
MD5:4c085e942806b5c8d972695451aa8f48
SHA1:208d04b2528058609221c87cf1272d420099c493
SHA256:283b0f136d26968786e7a0abe1354758de4cdade534ddee63b93569c282f2299
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Yara detected Tofsee
Snort IDS alert for network traffic
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Found API chain indicative of debugger detection
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Modifies the windows firewall
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Modifies existing windows services
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Uses SMTP (mail sending)
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4516 cmdline: C:\Users\user\Desktop\file.exe MD5: 4C085E942806B5C8D972695451AA8F48)
    • cmd.exe (PID: 5252 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tsqtjgfo\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2824 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qtcnnjjg.exe" C:\Windows\SysWOW64\tsqtjgfo\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 2328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 1352 cmdline: C:\Windows\System32\sc.exe" create tsqtjgfo binPath= "C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)
      • conhost.exe (PID: 1348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 5936 cmdline: C:\Windows\System32\sc.exe" description tsqtjgfo "wifi internet conection MD5: 24A3E2603E63BCB9695A2935D3B24695)
      • conhost.exe (PID: 4696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 5228 cmdline: "C:\Windows\System32\sc.exe" start tsqtjgfo MD5: 24A3E2603E63BCB9695A2935D3B24695)
      • conhost.exe (PID: 5020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 3648 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 4352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • qtcnnjjg.exe (PID: 5940 cmdline: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe /d"C:\Users\user\Desktop\file.exe" MD5: 3D0E87BA5B0B7BA4C2F68898214F5106)
    • svchost.exe (PID: 3232 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
  • cleanup

Malware Configuration

Threatname: Tofsee

{"C2 list": ["svartalfheim.top:443", "jotunheim.name:443"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.344749194.0000000002DA8000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x2800:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.3.file.exe.2d40000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      0.3.file.exe.2d40000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      0.2.file.exe.2d20e67.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      0.2.file.exe.2d20e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      11.2.qtcnnjjg.exe.400000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        Click to see the 39 entries

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:192.168.2.58.8.8.851441532023883 01/08/23-16:14:55.286794
        SID:2023883
        Source Port:51441
        Destination Port:53
        Protocol:UDP
        Classtype:Potentially Bad Traffic
        Timestamp:192.168.2.58.8.8.863446532023883 01/08/23-16:15:35.449008
        SID:2023883
        Source Port:63446
        Destination Port:53
        Protocol:UDP
        Classtype:Potentially Bad Traffic
        Timestamp:192.168.2.58.8.8.856682532023883 01/08/23-16:16:57.387452
        SID:2023883
        Source Port:56682
        Destination Port:53
        Protocol:UDP
        Classtype:Potentially Bad Traffic
        Timestamp:192.168.2.58.8.8.859220532023883 01/08/23-16:16:15.738842
        SID:2023883
        Source Port:59220
        Destination Port:53
        Protocol:UDP
        Classtype:Potentially Bad Traffic
        Timestamp:192.168.2.58.8.8.862659532023883 01/08/23-16:17:37.662206
        SID:2023883
        Source Port:62659
        Destination Port:53
        Protocol:UDP
        Classtype:Potentially Bad Traffic

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: file.exeReversingLabs: Detection: 46%
        Multi AV Scanner detection for domain / URL
        Source: svartalfheim.topVirustotal: Detection: 16%Perma Link
        Source: jotunheim.nameVirustotal: Detection: 15%Perma Link
        Machine Learning detection for sample
        Source: file.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\qtcnnjjg.exeJoe Sandbox ML: detected
        Source: 0.3.file.exe.2d40000.0.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 11.2.qtcnnjjg.exe.2c40e67.1.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 0.2.file.exe.2d20e67.1.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 11.2.qtcnnjjg.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
        Source: 14.2.svchost.exe.4d0000.0.unpackAvira: Label: BDS/Backdoor.Gen
        Source: 0.2.file.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
        Source: 11.2.qtcnnjjg.exe.2da0000.2.unpackAvira: Label: BDS/Backdoor.Gen
        Source: 11.3.qtcnnjjg.exe.2d40000.0.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 0.2.file.exe.2d20e67.1.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["svartalfheim.top:443", "jotunheim.name:443"]}

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeUnpacked PE file: 11.2.qtcnnjjg.exe.400000.0.unpack
        Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
        Source: Binary string: C:\joraxobufovo 8-nukasemuluz\24\ruyal\geyobuwu.pdb source: file.exe, qtcnnjjg.exe.0.dr

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 80.66.75.254 443
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 93.189.42.6 443
        Source: C:\Windows\SysWOW64\svchost.exeDomain query: svartalfheim.top
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.40.29 25
        Source: C:\Windows\SysWOW64\svchost.exeDomain query: jotunheim.name
        Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:51441 -> 8.8.8.8:53
        Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:63446 -> 8.8.8.8:53
        Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:59220 -> 8.8.8.8:53
        Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:56682 -> 8.8.8.8:53
        Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:62659 -> 8.8.8.8:53
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: svartalfheim.top:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewASN Name: RISS-ASRU RISS-ASRU
        Source: Joe Sandbox ViewASN Name: NTCOM-ASRU NTCOM-ASRU
        Source: Joe Sandbox ViewIP Address: 80.66.75.254 80.66.75.254
        Source: Joe Sandbox ViewIP Address: 93.189.42.6 93.189.42.6
        Source: global trafficTCP traffic: 192.168.2.5:49700 -> 52.101.40.29:25
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
        Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
        Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
        Source: unknownDNS traffic detected: queries for: microsoft-com.mail.protection.outlook.com
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 11.2.qtcnnjjg.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.qtcnnjjg.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.qtcnnjjg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.qtcnnjjg.exe.2da0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.2d20e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.qtcnnjjg.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.qtcnnjjg.exe.2da0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.file.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.354409615.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.355868044.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.355978031.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.355049753.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.320355730.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.826846421.00000000004D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 4516, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: qtcnnjjg.exe PID: 5940, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3232, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 0.3.file.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.file.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.file.exe.2d20e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.file.exe.2d20e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.qtcnnjjg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.qtcnnjjg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.qtcnnjjg.exe.2c40e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.qtcnnjjg.exe.2c40e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.qtcnnjjg.exe.2c40e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.qtcnnjjg.exe.2c40e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.qtcnnjjg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.qtcnnjjg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 14.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 14.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.qtcnnjjg.exe.2da0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.qtcnnjjg.exe.2da0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.file.exe.2d20e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.file.exe.2d20e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 14.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 14.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.3.qtcnnjjg.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.3.qtcnnjjg.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.3.qtcnnjjg.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.3.qtcnnjjg.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.qtcnnjjg.exe.2da0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.qtcnnjjg.exe.2da0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.file.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.file.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.344749194.0000000002DA8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000003.354409615.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000B.00000003.354409615.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000002.355868044.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000B.00000002.355868044.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000002.355978031.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000B.00000002.355978031.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000002.355049753.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000B.00000002.355049753.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.320355730.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000003.320355730.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000002.356106077.0000000002E23000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000E.00000002.826846421.00000000004D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000E.00000002.826846421.00000000004D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 0.3.file.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.file.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.file.exe.2d20e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.file.exe.2d20e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.qtcnnjjg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.qtcnnjjg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.qtcnnjjg.exe.2c40e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.qtcnnjjg.exe.2c40e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.qtcnnjjg.exe.2c40e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.qtcnnjjg.exe.2c40e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.qtcnnjjg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.qtcnnjjg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 14.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 14.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.qtcnnjjg.exe.2da0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.qtcnnjjg.exe.2da0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.file.exe.2d20e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.file.exe.2d20e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 14.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 14.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.3.qtcnnjjg.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.3.qtcnnjjg.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.3.qtcnnjjg.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.3.qtcnnjjg.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.qtcnnjjg.exe.2da0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.qtcnnjjg.exe.2da0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.file.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.file.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.344749194.0000000002DA8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000003.354409615.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000B.00000003.354409615.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000002.355868044.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000B.00000002.355868044.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000002.355978031.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000B.00000002.355978031.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000002.355049753.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000B.00000002.355049753.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.320355730.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000003.320355730.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000002.356106077.0000000002E23000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000E.00000002.826846421.00000000004D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000E.00000002.826846421.00000000004D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\tsqtjgfo\Jump to behavior
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C913
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeCode function: 11_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_004DC913
        Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,
        Source: file.exeReversingLabs: Detection: 46%
        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
        Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
        Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tsqtjgfo\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qtcnnjjg.exe" C:\Windows\SysWOW64\tsqtjgfo\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create tsqtjgfo binPath= "C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description tsqtjgfo "wifi internet conection
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start tsqtjgfo
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe /d"C:\Users\user\Desktop\file.exe"
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tsqtjgfo\
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qtcnnjjg.exe" C:\Windows\SysWOW64\tsqtjgfo\
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create tsqtjgfo binPath= "C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description tsqtjgfo "wifi internet conection
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start tsqtjgfo
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\qtcnnjjg.exeJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@22/3@9/3
        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_004D9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeCode function: 11_2_02E2572E CreateToolhelp32Snapshot,Module32First,
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1348:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5020:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2328:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4696:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4352:120:WilError_01
        Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: C:\joraxobufovo 8-nukasemuluz\24\ruyal\geyobuwu.pdb source: file.exe, qtcnnjjg.exe.0.dr

        Data Obfuscation

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeUnpacked PE file: 11.2.qtcnnjjg.exe.400000.0.unpack
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeUnpacked PE file: 11.2.qtcnnjjg.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeCode function: 11_2_02E28A16 push 0000002Bh; iretd
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeCode function: 11_2_02E23598 push eax; iretd
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,

        Persistence and Installation Behavior

        barindex
        Drops executables to the windows directory (C:\Windows) and starts them
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\qtcnnjjg.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsqtjgfoJump to behavior
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create tsqtjgfo binPath= "C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support

        Hooking and other Techniques for Hiding and Protection

        barindex
        Deletes itself after installation
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\file.exeJump to behavior
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\file.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
        Source: C:\Windows\SysWOW64\svchost.exe TID: 5004Thread sleep count: 191 > 30
        Source: C:\Windows\SysWOW64\svchost.exe TID: 5004Thread sleep time: -191000s >= -30000s
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
        Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
        Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decision
        Source: C:\Users\user\Desktop\file.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
        Source: C:\Users\user\Desktop\file.exeAPI coverage: 8.6 %
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeAPI coverage: 3.9 %
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeAPI call chain: ExitProcess graph end node
        Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end node
        Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end node

        Anti Debugging

        barindex
        Found API chain indicative of debugger detection
        Source: C:\Users\user\Desktop\file.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleep
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeCode function: 11_2_02C4092B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeCode function: 11_2_02C40D90 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeCode function: 11_2_02E2500B push dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_004D9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 80.66.75.254 443
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 93.189.42.6 443
        Source: C:\Windows\SysWOW64\svchost.exeDomain query: svartalfheim.top
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.40.29 25
        Source: C:\Windows\SysWOW64\svchost.exeDomain query: jotunheim.name
        Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 4D0000
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3D3008
        Allocates memory in foreign processes
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 4D0000 protect: page execute and read and write
        Injects a PE file into a foreign processes
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 4D0000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tsqtjgfo\
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qtcnnjjg.exe" C:\Windows\SysWOW64\tsqtjgfo\
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create tsqtjgfo binPath= "C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description tsqtjgfo "wifi internet conection
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start tsqtjgfo
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Modifies the windows firewall
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 11.2.qtcnnjjg.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.qtcnnjjg.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.qtcnnjjg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.qtcnnjjg.exe.2da0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.2d20e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.qtcnnjjg.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.qtcnnjjg.exe.2da0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.file.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.354409615.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.355868044.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.355978031.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.355049753.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.320355730.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.826846421.00000000004D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 4516, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: qtcnnjjg.exe PID: 5940, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3232, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 11.2.qtcnnjjg.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.qtcnnjjg.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.qtcnnjjg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.qtcnnjjg.exe.2da0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.2d20e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.qtcnnjjg.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.qtcnnjjg.exe.2da0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.file.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.354409615.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.355868044.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.355978031.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.355049753.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.320355730.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.826846421.00000000004D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 4516, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: qtcnnjjg.exe PID: 5940, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3232, type: MEMORYSTR
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,
        Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exeCode function: 11_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_004D88B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        1
        Valid Accounts        		41
        Native API        		1
        Valid Accounts        		1
        Valid Accounts        		2
        Disable or Modify Tools        		OS Credential Dumping2
        System Time Discovery        		Remote Services1
        Archive Collected Data        		Exfiltration Over Other Network Medium1
        Ingress Tool Transfer        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts2
        Command and Scripting Interpreter        		14
        Windows Service        		1
        Access Token Manipulation        		1
        Deobfuscate/Decode Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth12
        Encrypted Channel        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain Accounts3
        Service Execution        		Logon Script (Windows)14
        Windows Service        		2
        Obfuscated Files or Information        		Security Account Manager1
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)412
        Process Injection        		21
        Software Packing        		NTDS15
        System Information Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer112
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        File Deletion        		LSA Secrets11
        Security Software Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common12
        Masquerading        		Cached Domain Credentials11
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items1
        Valid Accounts        		DCSync1
        Process Discovery        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
        Virtualization/Sandbox Evasion        		Proc Filesystem1
        System Owner/User Discovery        		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
        Access Token Manipulation        		/etc/passwd and /etc/shadow1
        Remote System Discovery        		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)412
        Process Injection        		Network Sniffing1
        System Network Configuration Discovery        		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 780217 Sample: file.exe Startdate: 08/01/2023 Architecture: WINDOWS Score: 100 43 jotunheim.name 2->43 45 microsoft-com.mail.protection.outlook.com 2->45 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 6 other signatures 2->59 8 qtcnnjjg.exe 2->8         started        11 file.exe 2 2->11         started        signatures3 process4 file5 61 Detected unpacking (changes PE section rights) 8->61 63 Detected unpacking (overwrites its own PE header) 8->63 65 Writes to foreign memory regions 8->65 73 2 other signatures 8->73 14 svchost.exe 1 8->14         started        41 C:\Users\user\AppData\Local\...\qtcnnjjg.exe, PE32 11->41 dropped 67 Found API chain indicative of debugger detection 11->67 69 Uses netsh to modify the Windows network and firewall settings 11->69 71 Modifies the windows firewall 11->71 18 cmd.exe 1 11->18         started        21 netsh.exe 3 11->21         started        23 cmd.exe 2 11->23         started        25 3 other processes 11->25 signatures6 process7 dnsIp8 47 jotunheim.name 80.66.75.254, 443, 49717, 49721 RISS-ASRU Russian Federation 14->47 49 svartalfheim.top 93.189.42.6, 443, 49701, 49707 NTCOM-ASRU Russian Federation 14->49 51 microsoft-com.mail.protection.outlook.com 52.101.40.29, 25, 49700 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->51 75 System process connects to network (likely due to code injection or exploit) 14->75 77 Deletes itself after installation 14->77 39 C:\Windows\SysWOW64\...\qtcnnjjg.exe (copy), PE32 18->39 dropped 27 conhost.exe 18->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        37 conhost.exe 25->37         started        file9 signatures10 process11

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        file.exe46%ReversingLabsWin32.Backdoor.Convagent
        file.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\qtcnnjjg.exe100%Joe Sandbox ML

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        0.3.file.exe.2d40000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
        14.3.svchost.exe.84b000.1.unpack100%AviraHEUR/AGEN.1253311Download File
        11.2.qtcnnjjg.exe.2c40e67.1.unpack100%AviraTR/Patched.Ren.GenDownload File
        14.3.svchost.exe.84b000.2.unpack100%AviraHEUR/AGEN.1253311Download File
        0.2.file.exe.2d20e67.1.unpack100%AviraTR/Patched.Ren.GenDownload File
        11.2.qtcnnjjg.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
        14.2.svchost.exe.4d0000.0.unpack100%AviraBDS/Backdoor.GenDownload File
        0.2.file.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
        11.2.qtcnnjjg.exe.2da0000.2.unpack100%AviraBDS/Backdoor.GenDownload File
        11.3.qtcnnjjg.exe.2d40000.0.unpack100%AviraTR/Patched.Ren.GenDownload File

        Domains

        SourceDetectionScannerLabelLink
        svartalfheim.top17%VirustotalBrowse
        jotunheim.name16%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        svartalfheim.top:4430%URL Reputationsafe
        svartalfheim.top:4430%URL Reputationsafe
        jotunheim.name:4430%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        svartalfheim.top
        		93.189.42.6
        		truetrueunknown
        jotunheim.name
        		80.66.75.254
        		truetrueunknown
        microsoft-com.mail.protection.outlook.com
        		52.101.40.29
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          svartalfheim.top:443true
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          jotunheim.name:443true
          • URL Reputation: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          80.66.75.254
          		jotunheim.nameRussian Federation
          		20803RISS-ASRUtrue
          93.189.42.6
          		svartalfheim.topRussian Federation
          		41853NTCOM-ASRUtrue
          52.101.40.29
          		microsoft-com.mail.protection.outlook.comUnited States
          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

          General Information

          Joe Sandbox Version:36.0.0 Rainbow Opal
          Analysis ID:780217
          Start date and time:2023-01-08 16:13:30 +01:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 10m 35s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:file.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:20
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@22/3@9/3
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:
          • Successful, ratio: 61.9% (good quality ratio 59%)
          • Quality average: 86.9%
          • Quality standard deviation: 25.3%
          HCA Information:
          • Successful, ratio: 99%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Override analysis time to 240s for sample files taking high CPU consumption

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, conhost.exe
          • Excluded IPs from analysis (whitelisted): 20.112.52.29, 20.81.111.85, 20.84.181.62, 20.103.85.33, 20.53.203.50, 40.126.32.75, 20.190.160.23, 20.190.160.12, 20.190.160.21, 20.190.160.15, 40.126.32.73, 40.126.32.132, 40.126.32.67, 40.127.240.158, 20.73.194.208
          • Excluded domains from analysis (whitelisted): client.wns.windows.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, prda.aadg.msidentity.com, atm-settingsfe-prod-geo2.trafficmanager.net, login.live.com, settings-prod-weu-2.westeurope.cloudapp.azure.com, settings-prod-neu-1.northeurope.cloudapp.azure.com, microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtEnumerateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          16:15:35API Interceptor5x Sleep call for process: svchost.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\qtcnnjjg.exe

          Download File
          Process:C:\Users\user\Desktop\file.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):15645184
          Entropy (8bit):5.291152040640698
          Encrypted:false
          SSDEEP:49152:FZsrgsLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL:FZsr
          MD5:3D0E87BA5B0B7BA4C2F68898214F5106
          SHA1:8BFFC54A6633126CFA4118B382E4C3A3F63A432A
          SHA-256:010FDCDEE7594911E51CFCBFAA6DEACB3F8306A20537FF3F11F9DFC41BB0FA72
          SHA-512:7A9C495FC0AC66D68E553A9090B6B61E59864DB3FC75477C44B85CD582B93DCDC859CA74B5D015B1E7C3988E97CD3430B84E5D3FB6082EBDEE608D2C760415EE
          Malicious:true
          Antivirus:
          • Antivirus: Joe Sandbox ML, Detection: 100%
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u...............................x`.........1.....................Rich....................PE..L...?Qia.................z...py......_............@...........................z.............................................}..P.....y.`........................... ................................C..@............................................text...fx.......z.................. ..`.data....vw..........~..............@....rsrc...`.....y.."..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe (copy)

          Download File
          Process:C:\Windows\SysWOW64\cmd.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):15645184
          Entropy (8bit):5.291152040640698
          Encrypted:false
          SSDEEP:49152:FZsrgsLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL:FZsr
          MD5:3D0E87BA5B0B7BA4C2F68898214F5106
          SHA1:8BFFC54A6633126CFA4118B382E4C3A3F63A432A
          SHA-256:010FDCDEE7594911E51CFCBFAA6DEACB3F8306A20537FF3F11F9DFC41BB0FA72
          SHA-512:7A9C495FC0AC66D68E553A9090B6B61E59864DB3FC75477C44B85CD582B93DCDC859CA74B5D015B1E7C3988E97CD3430B84E5D3FB6082EBDEE608D2C760415EE
          Malicious:true
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u...............................x`.........1.....................Rich....................PE..L...?Qia.................z...py......_............@...........................z.............................................}..P.....y.`........................... ................................C..@............................................text...fx.......z.................. ..`.data....vw..........~..............@....rsrc...`.....y.."..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

          \Device\ConDrv

          Download File
          Process:C:\Windows\SysWOW64\netsh.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):3773
          Entropy (8bit):4.7109073551842435
          Encrypted:false
          SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
          MD5:DA3247A302D70819F10BCEEBAF400503
          SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
          SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
          SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
          Malicious:false
          Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):6.575762280828874
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:file.exe
          File size:269824
          MD5:4c085e942806b5c8d972695451aa8f48
          SHA1:208d04b2528058609221c87cf1272d420099c493
          SHA256:283b0f136d26968786e7a0abe1354758de4cdade534ddee63b93569c282f2299
          SHA512:71711540d02295de9afd3f5f9a2e1affcade41bf09e91f30da6674c2f3e1b610cb3b723a6d46605b5eb1975523d108282c5f68d6ac01eff19974ab972768b9fd
          SSDEEP:3072:EXhfi0CLr5NToLP0S5/NvXVarnGlEzSCdx4q5ofB9bjXpxOYDUZNTKXWPr0sd6:AkLrwLP0OqnOgSCdxpuZFjXTIOuN
          TLSH:12448C313693CC72C156E57099259AF8EFB6BC739B2489C327443B6E6E702D39272712
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u......................................x`.........1...........................Rich....................PE..L...?Qia...........

          File Icon

          Icon Hash:9062e098c6e73144

          Static PE Info

          General

          Entrypoint:0x405fbf
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
          Time Stamp:0x6169513F [Fri Oct 15 10:00:31 2021 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:0
          File Version Major:5
          File Version Minor:0
          Subsystem Version Major:5
          Subsystem Version Minor:0
          Import Hash:b49d1773872141620d6e88f1989600b7

          Entrypoint Preview

          Instruction
          call 00007FF854CD7ED8h
          jmp 00007FF854CD1C4Eh
          mov edi, edi
          push ebp
          mov ebp, esp
          mov eax, dword ptr [ebp+08h]
          push esi
          mov esi, ecx
          mov byte ptr [esi+0Ch], 00000000h
          test eax, eax
          jne 00007FF854CD1E35h
          call 00007FF854CD7BB5h
          mov dword ptr [esi+08h], eax
          mov ecx, dword ptr [eax+6Ch]
          mov dword ptr [esi], ecx
          mov ecx, dword ptr [eax+68h]
          mov dword ptr [esi+04h], ecx
          mov ecx, dword ptr [esi]
          cmp ecx, dword ptr [0042A118h]
          je 00007FF854CD1DE4h
          mov ecx, dword ptr [0042A034h]
          test dword ptr [eax+70h], ecx
          jne 00007FF854CD1DD9h
          call 00007FF854CD88EBh
          mov dword ptr [esi], eax
          mov eax, dword ptr [esi+04h]
          cmp eax, dword ptr [00429F38h]
          je 00007FF854CD1DE8h
          mov eax, dword ptr [esi+08h]
          mov ecx, dword ptr [0042A034h]
          test dword ptr [eax+70h], ecx
          jne 00007FF854CD1DDAh
          call 00007FF854CD815Fh
          mov dword ptr [esi+04h], eax
          mov eax, dword ptr [esi+08h]
          test byte ptr [eax+70h], 00000002h
          jne 00007FF854CD1DE6h
          or dword ptr [eax+70h], 02h
          mov byte ptr [esi+0Ch], 00000001h
          jmp 00007FF854CD1DDCh
          mov ecx, dword ptr [eax]
          mov dword ptr [esi], ecx
          mov eax, dword ptr [eax+04h]
          mov dword ptr [esi+04h], eax
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          mov edi, edi
          push ebp
          mov ebp, esp
          sub esp, 10h
          push esi
          push dword ptr [ebp+0Ch]
          lea ecx, dword ptr [ebp-10h]
          call 00007FF854CD1D3Ah
          mov esi, dword ptr [ebp+08h]
          movsx eax, byte ptr [esi]
          push eax
          call 00007FF854CD8B93h
          cmp eax, 65h
          jmp 00007FF854CD1DDEh
          inc esi
          movzx eax, byte ptr [esi]
          push eax
          call 00007FF854CD893Ch
          test eax, eax
          pop ecx
          jne 00007FF854CD1DC3h
          movsx eax, byte ptr [esi]

          Rich Headers

          Programming Language:
          • [ASM] VS2008 build 21022
          • [ C ] VS2008 build 21022
          • [IMP] VS2005 build 50727
          • [C++] VS2008 build 21022
          • [RES] VS2008 build 21022
          • [LNK] VS2008 build 21022

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x17dec0x50.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x27910000x18460.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x12200x1c.text
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x43b80x40.text
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d4.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x178660x17a00False0.5360139715608465OpenPGP Public Key6.402318242015286IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .data0x190000x27776b40x11a00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0x27910000x184600x18600False0.47464943910256413data5.261333907966325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          AFX_DIALOG_LAYOUT0x27a6b580x2data
          AFX_DIALOG_LAYOUT0x27a6b500x2data
          AFX_DIALOG_LAYOUT0x27a6b600x2data
          AFX_DIALOG_LAYOUT0x27a6b680x2data
          AFX_DIALOG_LAYOUT0x27a6b700x2data
          RT_CURSOR0x27a6b780x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
          RT_CURSOR0x27a6cc00x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
          RT_CURSOR0x27a6df00xf0Device independent bitmap graphic, 24 x 48 x 1, image size 0
          RT_CURSOR0x27a6ee00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
          RT_CURSOR0x27a7fb80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
          RT_ICON0x27919e00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SpanishVenezuela
          RT_ICON0x27920a80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SpanishVenezuela
          RT_ICON0x27926100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SpanishVenezuela
          RT_ICON0x27936b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SpanishVenezuela
          RT_ICON0x2793b600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSpanishVenezuela
          RT_ICON0x2794a080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSpanishVenezuela
          RT_ICON0x27952b00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSpanishVenezuela
          RT_ICON0x27959780x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSpanishVenezuela
          RT_ICON0x2795ee00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600SpanishVenezuela
          RT_ICON0x27984880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224SpanishVenezuela
          RT_ICON0x27995300x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400SpanishVenezuela
          RT_ICON0x2799eb80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088SpanishVenezuela
          RT_ICON0x279a3980xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SpanishVenezuela
          RT_ICON0x279b2400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SpanishVenezuela
          RT_ICON0x279b9080x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SpanishVenezuela
          RT_ICON0x279be700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SpanishVenezuela
          RT_ICON0x279e4180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SpanishVenezuela
          RT_ICON0x279f4c00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0SpanishVenezuela
          RT_ICON0x279fe480x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SpanishVenezuela
          RT_ICON0x27a03180xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSpanishVenezuela
          RT_ICON0x27a11c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSpanishVenezuela
          RT_ICON0x27a1a680x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSpanishVenezuela
          RT_ICON0x27a21300x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSpanishVenezuela
          RT_ICON0x27a26980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600SpanishVenezuela
          RT_ICON0x27a4c400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224SpanishVenezuela
          RT_ICON0x27a5ce80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400SpanishVenezuela
          RT_ICON0x27a66700x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088SpanishVenezuela
          RT_STRING0x27a89c80x38cdataSpanishVenezuela
          RT_STRING0x27a8d580x53cdataSpanishVenezuela
          RT_STRING0x27a92980x1c8dataSpanishVenezuela
          RT_GROUP_CURSOR0x27a6ca80x14data
          RT_GROUP_CURSOR0x27a88600x14data
          RT_GROUP_CURSOR0x27a7f880x30data
          RT_GROUP_ICON0x279a3200x76dataSpanishVenezuela
          RT_GROUP_ICON0x2793b200x3edataSpanishVenezuela
          RT_GROUP_ICON0x27a02b00x68dataSpanishVenezuela
          RT_GROUP_ICON0x27a6ad80x76dataSpanishVenezuela
          RT_VERSION0x27a88780x150data

          Imports

          DLLImport
          KERNEL32.dllGetModuleHandleA, CreateDirectoryExA, ReadConsoleInputA, GetTempPathW, GetCurrentDirectoryW, RemoveDirectoryW, OutputDebugStringA, GetProcAddress, LocalAlloc, GetBinaryTypeW, SearchPathA, VerifyVersionInfoA, GetProcessPriorityBoost, EndUpdateResourceW, FindNextFileW, FindFirstVolumeW, LocalFree, GlobalFlags, UpdateResourceW, CreateActCtxA, CopyFileW, InterlockedExchangeAdd, GetConsoleAliasW, VerSetConditionMask, CreateMutexA, DeactivateActCtx, GetDiskFreeSpaceA, MoveFileW, GetLogicalDriveStringsA, ResetEvent, MoveFileExW, CreateMailslotA, WriteConsoleInputA, QueryDosDeviceW, InterlockedDecrement, EnumTimeFormatsW, lstrcatW, FindFirstFileA, FreeEnvironmentStringsA, SetErrorMode, GetTickCount, SetLastError, AllocateUserPhysicalPages, GetPrivateProfileStructA, CopyFileExA, MoveFileWithProgressA, LoadLibraryA, GetLastError, DeleteFileA, GetStartupInfoW, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RaiseException, VirtualAlloc, HeapReAlloc, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, RtlUnwind, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, ReadFile, HeapSize, CloseHandle, CreateFileA
          GDI32.dllGetTextFaceA
          WINHTTP.dllWinHttpWriteData

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          SpanishVenezuela

          Network Behavior

          Snort IDS Alerts

          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
          192.168.2.58.8.8.851441532023883 01/08/23-16:14:55.286794UDP2023883ET DNS Query to a *.top domain - Likely Hostile5144153192.168.2.58.8.8.8
          192.168.2.58.8.8.863446532023883 01/08/23-16:15:35.449008UDP2023883ET DNS Query to a *.top domain - Likely Hostile6344653192.168.2.58.8.8.8
          192.168.2.58.8.8.856682532023883 01/08/23-16:16:57.387452UDP2023883ET DNS Query to a *.top domain - Likely Hostile5668253192.168.2.58.8.8.8
          192.168.2.58.8.8.859220532023883 01/08/23-16:16:15.738842UDP2023883ET DNS Query to a *.top domain - Likely Hostile5922053192.168.2.58.8.8.8
          192.168.2.58.8.8.862659532023883 01/08/23-16:17:37.662206UDP2023883ET DNS Query to a *.top domain - Likely Hostile6265953192.168.2.58.8.8.8

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jan 8, 2023 16:14:52.816046000 CET4970025192.168.2.552.101.40.29
          Jan 8, 2023 16:14:52.964148045 CET254970052.101.40.29192.168.2.5
          Jan 8, 2023 16:14:52.964273930 CET4970025192.168.2.552.101.40.29
          Jan 8, 2023 16:14:52.966342926 CET4970025192.168.2.552.101.40.29
          Jan 8, 2023 16:14:53.115010023 CET254970052.101.40.29192.168.2.5
          Jan 8, 2023 16:14:53.115042925 CET254970052.101.40.29192.168.2.5
          Jan 8, 2023 16:14:53.115148067 CET4970025192.168.2.552.101.40.29
          Jan 8, 2023 16:14:53.116215944 CET254970052.101.40.29192.168.2.5
          Jan 8, 2023 16:14:53.116290092 CET4970025192.168.2.552.101.40.29
          Jan 8, 2023 16:14:55.308823109 CET49701443192.168.2.593.189.42.6
          Jan 8, 2023 16:14:55.308898926 CET4434970193.189.42.6192.168.2.5
          Jan 8, 2023 16:14:55.309025049 CET49701443192.168.2.593.189.42.6
          Jan 8, 2023 16:15:35.300574064 CET49701443192.168.2.593.189.42.6
          Jan 8, 2023 16:15:35.300700903 CET4434970193.189.42.6192.168.2.5
          Jan 8, 2023 16:15:35.300817966 CET49701443192.168.2.593.189.42.6
          Jan 8, 2023 16:15:35.474817038 CET49707443192.168.2.593.189.42.6
          Jan 8, 2023 16:15:35.474905014 CET4434970793.189.42.6192.168.2.5
          Jan 8, 2023 16:15:35.475019932 CET49707443192.168.2.593.189.42.6
          Jan 8, 2023 16:16:15.518754959 CET49707443192.168.2.593.189.42.6
          Jan 8, 2023 16:16:15.518908978 CET4434970793.189.42.6192.168.2.5
          Jan 8, 2023 16:16:15.519073963 CET49707443192.168.2.593.189.42.6
          Jan 8, 2023 16:16:16.034245968 CET49711443192.168.2.593.189.42.6
          Jan 8, 2023 16:16:16.034348965 CET4434971193.189.42.6192.168.2.5
          Jan 8, 2023 16:16:16.034431934 CET49711443192.168.2.593.189.42.6
          Jan 8, 2023 16:16:56.099965096 CET49711443192.168.2.593.189.42.6
          Jan 8, 2023 16:16:56.100171089 CET4434971193.189.42.6192.168.2.5
          Jan 8, 2023 16:16:56.100471020 CET49711443192.168.2.593.189.42.6
          Jan 8, 2023 16:16:57.495203972 CET49713443192.168.2.593.189.42.6
          Jan 8, 2023 16:16:57.495263100 CET4434971393.189.42.6192.168.2.5
          Jan 8, 2023 16:16:57.495353937 CET49713443192.168.2.593.189.42.6
          Jan 8, 2023 16:17:37.493819952 CET49713443192.168.2.593.189.42.6
          Jan 8, 2023 16:17:37.494014025 CET4434971393.189.42.6192.168.2.5
          Jan 8, 2023 16:17:37.494110107 CET49713443192.168.2.593.189.42.6
          Jan 8, 2023 16:17:37.683511972 CET49715443192.168.2.593.189.42.6
          Jan 8, 2023 16:17:37.683573008 CET4434971593.189.42.6192.168.2.5
          Jan 8, 2023 16:17:37.683675051 CET49715443192.168.2.593.189.42.6
          Jan 8, 2023 16:18:17.684156895 CET49715443192.168.2.593.189.42.6
          Jan 8, 2023 16:18:17.684248924 CET4434971593.189.42.6192.168.2.5
          Jan 8, 2023 16:18:17.684341908 CET49715443192.168.2.593.189.42.6
          Jan 8, 2023 16:18:17.888770103 CET49717443192.168.2.580.66.75.254
          Jan 8, 2023 16:18:17.888814926 CET4434971780.66.75.254192.168.2.5
          Jan 8, 2023 16:18:17.888916969 CET49717443192.168.2.580.66.75.254
          Jan 8, 2023 16:18:57.890940905 CET49717443192.168.2.580.66.75.254
          Jan 8, 2023 16:18:57.893198967 CET4434971780.66.75.254192.168.2.5
          Jan 8, 2023 16:18:57.893291950 CET49717443192.168.2.580.66.75.254
          Jan 8, 2023 16:19:04.759143114 CET49721443192.168.2.580.66.75.254
          Jan 8, 2023 16:19:04.759206057 CET4434972180.66.75.254192.168.2.5
          Jan 8, 2023 16:19:04.759340048 CET49721443192.168.2.580.66.75.254

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jan 8, 2023 16:14:52.559065104 CET6064953192.168.2.58.8.8.8
          Jan 8, 2023 16:14:52.804296970 CET53606498.8.8.8192.168.2.5
          Jan 8, 2023 16:14:55.286793947 CET5144153192.168.2.58.8.8.8
          Jan 8, 2023 16:14:55.306782007 CET53514418.8.8.8192.168.2.5
          Jan 8, 2023 16:15:35.449007988 CET6344653192.168.2.58.8.8.8
          Jan 8, 2023 16:15:35.466605902 CET53634468.8.8.8192.168.2.5
          Jan 8, 2023 16:16:15.738842010 CET5922053192.168.2.58.8.8.8
          Jan 8, 2023 16:16:16.032886028 CET53592208.8.8.8192.168.2.5
          Jan 8, 2023 16:16:57.387451887 CET5668253192.168.2.58.8.8.8
          Jan 8, 2023 16:16:57.493288994 CET53566828.8.8.8192.168.2.5
          Jan 8, 2023 16:17:37.662205935 CET6265953192.168.2.58.8.8.8
          Jan 8, 2023 16:17:37.681801081 CET53626598.8.8.8192.168.2.5
          Jan 8, 2023 16:18:17.840845108 CET5626353192.168.2.58.8.8.8
          Jan 8, 2023 16:18:17.887387037 CET53562638.8.8.8192.168.2.5
          Jan 8, 2023 16:18:32.805587053 CET6441953192.168.2.58.8.8.8
          Jan 8, 2023 16:18:32.834148884 CET53644198.8.8.8192.168.2.5
          Jan 8, 2023 16:19:04.705599070 CET6134453192.168.2.58.8.8.8
          Jan 8, 2023 16:19:04.755404949 CET53613448.8.8.8192.168.2.5

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Jan 8, 2023 16:14:52.559065104 CET192.168.2.58.8.8.80x9e65Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
          Jan 8, 2023 16:14:55.286793947 CET192.168.2.58.8.8.80xc8e5Standard query (0)svartalfheim.topA (IP address)IN (0x0001)false
          Jan 8, 2023 16:15:35.449007988 CET192.168.2.58.8.8.80xe9faStandard query (0)svartalfheim.topA (IP address)IN (0x0001)false
          Jan 8, 2023 16:16:15.738842010 CET192.168.2.58.8.8.80x678aStandard query (0)svartalfheim.topA (IP address)IN (0x0001)false
          Jan 8, 2023 16:16:57.387451887 CET192.168.2.58.8.8.80xa092Standard query (0)svartalfheim.topA (IP address)IN (0x0001)false
          Jan 8, 2023 16:17:37.662205935 CET192.168.2.58.8.8.80x6193Standard query (0)svartalfheim.topA (IP address)IN (0x0001)false
          Jan 8, 2023 16:18:17.840845108 CET192.168.2.58.8.8.80x54a4Standard query (0)jotunheim.nameA (IP address)IN (0x0001)false
          Jan 8, 2023 16:18:32.805587053 CET192.168.2.58.8.8.80xa3ffStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
          Jan 8, 2023 16:19:04.705599070 CET192.168.2.58.8.8.80x783dStandard query (0)jotunheim.nameA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Jan 8, 2023 16:14:52.804296970 CET8.8.8.8192.168.2.50x9e65No error (0)microsoft-com.mail.protection.outlook.com52.101.40.29A (IP address)IN (0x0001)false
          Jan 8, 2023 16:14:52.804296970 CET8.8.8.8192.168.2.50x9e65No error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)false
          Jan 8, 2023 16:14:52.804296970 CET8.8.8.8192.168.2.50x9e65No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)false
          Jan 8, 2023 16:14:52.804296970 CET8.8.8.8192.168.2.50x9e65No error (0)microsoft-com.mail.protection.outlook.com40.93.207.2A (IP address)IN (0x0001)false
          Jan 8, 2023 16:14:52.804296970 CET8.8.8.8192.168.2.50x9e65No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
          Jan 8, 2023 16:14:52.804296970 CET8.8.8.8192.168.2.50x9e65No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
          Jan 8, 2023 16:14:55.306782007 CET8.8.8.8192.168.2.50xc8e5No error (0)svartalfheim.top93.189.42.6A (IP address)IN (0x0001)false
          Jan 8, 2023 16:15:35.466605902 CET8.8.8.8192.168.2.50xe9faNo error (0)svartalfheim.top93.189.42.6A (IP address)IN (0x0001)false
          Jan 8, 2023 16:16:16.032886028 CET8.8.8.8192.168.2.50x678aNo error (0)svartalfheim.top93.189.42.6A (IP address)IN (0x0001)false
          Jan 8, 2023 16:16:57.493288994 CET8.8.8.8192.168.2.50xa092No error (0)svartalfheim.top93.189.42.6A (IP address)IN (0x0001)false
          Jan 8, 2023 16:17:37.681801081 CET8.8.8.8192.168.2.50x6193No error (0)svartalfheim.top93.189.42.6A (IP address)IN (0x0001)false
          Jan 8, 2023 16:18:17.887387037 CET8.8.8.8192.168.2.50x54a4No error (0)jotunheim.name80.66.75.254A (IP address)IN (0x0001)false
          Jan 8, 2023 16:18:32.834148884 CET8.8.8.8192.168.2.50xa3ffNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
          Jan 8, 2023 16:18:32.834148884 CET8.8.8.8192.168.2.50xa3ffNo error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
          Jan 8, 2023 16:18:32.834148884 CET8.8.8.8192.168.2.50xa3ffNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.2A (IP address)IN (0x0001)false
          Jan 8, 2023 16:18:32.834148884 CET8.8.8.8192.168.2.50xa3ffNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.29A (IP address)IN (0x0001)false
          Jan 8, 2023 16:18:32.834148884 CET8.8.8.8192.168.2.50xa3ffNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)false
          Jan 8, 2023 16:18:32.834148884 CET8.8.8.8192.168.2.50xa3ffNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)false
          Jan 8, 2023 16:19:04.755404949 CET8.8.8.8192.168.2.50x783dNo error (0)jotunheim.name80.66.75.254A (IP address)IN (0x0001)false

          SMTP Packets

          TimestampSource PortDest PortSource IPDest IPCommands
          Jan 8, 2023 16:14:53.115042925 CET254970052.101.40.29192.168.2.5220 CY4PEPF00005055.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Sun, 8 Jan 2023 15:14:52 +0000

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:16:14:26
          Start date:08/01/2023
          Path:C:\Users\user\Desktop\file.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\Desktop\file.exe
          Imagebase:0x400000
          File size:269824 bytes
          MD5 hash:4C085E942806B5C8D972695451AA8F48
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.344749194.0000000002DA8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.320355730.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.320355730.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.320355730.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          Reputation:low

          General

          Target ID:1
          Start time:16:14:37
          Start date:08/01/2023
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tsqtjgfo\
          Imagebase:0x11d0000
          File size:232960 bytes
          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:2
          Start time:16:14:37
          Start date:08/01/2023
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7fcd70000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:3
          Start time:16:14:38
          Start date:08/01/2023
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qtcnnjjg.exe" C:\Windows\SysWOW64\tsqtjgfo\
          Imagebase:0x11d0000
          File size:232960 bytes
          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:4
          Start time:16:14:38
          Start date:08/01/2023
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7fcd70000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:5
          Start time:16:14:38
          Start date:08/01/2023
          Path:C:\Windows\SysWOW64\sc.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\System32\sc.exe" create tsqtjgfo binPath= "C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
          Imagebase:0xd90000
          File size:60928 bytes
          MD5 hash:24A3E2603E63BCB9695A2935D3B24695
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:6
          Start time:16:14:38
          Start date:08/01/2023
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7fcd70000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:7
          Start time:16:14:39
          Start date:08/01/2023
          Path:C:\Windows\SysWOW64\sc.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\System32\sc.exe" description tsqtjgfo "wifi internet conection
          Imagebase:0xd90000
          File size:60928 bytes
          MD5 hash:24A3E2603E63BCB9695A2935D3B24695
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:8
          Start time:16:14:39
          Start date:08/01/2023
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7fcd70000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:9
          Start time:16:14:40
          Start date:08/01/2023
          Path:C:\Windows\SysWOW64\sc.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\System32\sc.exe" start tsqtjgfo
          Imagebase:0xd90000
          File size:60928 bytes
          MD5 hash:24A3E2603E63BCB9695A2935D3B24695
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:10
          Start time:16:14:40
          Start date:08/01/2023
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7fcd70000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:11
          Start time:16:14:42
          Start date:08/01/2023
          Path:C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe /d"C:\Users\user\Desktop\file.exe"
          Imagebase:0x400000
          File size:15645184 bytes
          MD5 hash:3D0E87BA5B0B7BA4C2F68898214F5106
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000003.354409615.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000003.354409615.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000003.354409615.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.355868044.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000B.00000002.355868044.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.355868044.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.355978031.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.355978031.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.355978031.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.355049753.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.355049753.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: ditekSHen
          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.355049753.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: unknown
          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000B.00000002.356106077.0000000002E23000.00000040.00000020.00020000.00000000.sdmp, Author: unknown

          General

          Target ID:12
          Start time:16:14:42
          Start date:08/01/2023
          Path:C:\Windows\SysWOW64\netsh.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          Imagebase:0x1280000
          File size:82944 bytes
          MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:13
          Start time:16:14:45
          Start date:08/01/2023
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7fcd70000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:14
          Start time:16:14:51
          Start date:08/01/2023
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:svchost.exe
          Imagebase:0xa80000
          File size:44520 bytes
          MD5 hash:FA6C268A5B5BDA067A901764D203D433
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000E.00000002.826846421.00000000004D0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000E.00000002.826846421.00000000004D0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000E.00000002.826846421.00000000004D0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown

          Disassembly

          No disassembly