Edit tour

Windows Analysis Report
MqE1p1WFrf.exe

Overview

General Information

Sample Name:	MqE1p1WFrf.exe
Analysis ID:	790122
MD5:	dd10393642798db29a624785ead8ecec
SHA1:	39aad598cfe75a9d8770fef63b5c81db3acfa3b7
SHA256:	0130938796c7911601ade2602e770b07dad32051199372d93c7ed8bfd0e59659
Tags:	32exeRhadamanthystrojan
Infos:

Detection

RHADAMANTHYS

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected RHADAMANTHYS Stealer

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Hides threads from debuggers

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Queries memory information (via WMI often done to detect virtual machines)

Tries to harvest and steal Bitcoin Wallet information

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Checks if the current machine is a virtual machine (disk enumeration)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Allocates memory with a write watch (potentially for evading sandboxes)

Drops PE files

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Yara detected Keylogger Generic

Dropped file seen in connection with other malware

Uses Microsoft's Enhanced Cryptographic Provider

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

MqE1p1WFrf.exe (PID: 3648 cmdline: C:\Users\user\Desktop\MqE1p1WFrf.exe MD5: DD10393642798DB29A624785EAD8ECEC)

rundll32.exe (PID: 3352 cmdline: "C:\Users\user\AppData\Roaming\nsis_uns60877c.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DW|AE8ANgBGOwBjrwAxAHYhAElJAEjvADAAWi0CWUiD|+wo6AQCAABI|4PEKMPMzMxM|4lEJBhIiVQkvxBIiUwkCF0BSP+LRCQwSIkEJPaBAThIbwAISMdE2yQQLQHrDoEBEEjXg8ABjwEQgQFASO05lgBzJZ8Diwwk|0gDyEiLwUiL9UyrAVR7AAPRSIt|yooJiAjrwWYFv2VIiwQlYPPwM||JSItQGEg70f90NkiDwiBIi|8CSDvCdCpmg|94SBh1GkyLQP9QZkGDOGt0B+4REUt1CBEQeBAu|3QFSIsA69VI64tI|QDBagBAU1X|VldBVEFVQVb7QVddAWaBOU1a|02L+EyL8kiL79kPhfzz8ExjSf88QYE8CVBFAO8AD4Xq8|BBi4T7CYjz8IXASI087wEPhNZqEYO8Cd2MLQEPhMfz8ESL|2cgRItfHIt3|yREi08YTAPh|0wD2UgD8TPJv0WFyQ+EpPPwTf+LxEGLEEUz0v9IA9OKAoTAdP8dQcHKDQ++wN76AAFEA9C|EXXs|0GB+qr8DXx0|w6DwQFJg8AE|0E7yXNp68aL|8EPtwxORYss|4tMA+t0WDPtvqoQdFFBixTBANP|M8mKAkyLwuu3D8HJyBEDyOUQAfdBigDVEO0zwDOf9kE7DLbgEKYAg||GAYP4CHLu6|8KSIvLQf|VSd+JBPeDxeQQxATfO28Ycq9mAUFf|0FeQV1BXF9e+11bMxdIgexgAf5kAIvp6Gb+||+|SIXAD4SYdSBM9Y2vAYsrEMgz|+j9m30gjV8ETI1F|0Yz0ovL|1Qk|WiAIEyL4A+Ea3p1IEWoEDPAi9ORIF9IiXwkIKYgcIAgP0iL8A+ES3UgpiD|UEiNVghEjUffQEiNjCSFEUiL79jofP1+II1WSGreIBDiIczz8Ohn7yA|RIsGjVcIQSCmIL1YyiGJhCSAhxLe9vPwiw7aIFiJjCTYcREHMJEg6DHvIIuc|i0yTItdOkiD+|tsSIogMEyJZCTvOEyLpBoyTIlcboQBhCTchxGGko0Ru41HSzCMJPDz8Enfi9To6fwFMIqc7ngySI2EeDJBgPN|IY1PbEQwGKQCf4PpAXXzgbx4Mv8hUmV4dU2LhLsk9CIxlCT4NQHC|0g72HI4g|psv3YzRI1JQPoAlKdBuACYAKYgQMoi+Od0GUS2MMAxSY1U+yRskSBJg+hs6N1rgjBIi86mIHhI|4X|dBKLVUJM|I4wGzFIjUwkQP8P10iBxHQhYSQtCC0B MD5: 73C519F050C20580F8A62C849D49215A)

WerFault.exe (PID: 6076 cmdline: C:\Windows\system32\WerFault.exe -u -p 3352 -s 648 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000003.353314399.0000017ED8C6D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000004.00000003.353657620.0000017ED8E6D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000004.00000003.406415950.0000017ED8D42000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000001.00000003.307940010.000000000056E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000003.307940010.000000000056E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000004.00000003.384266045.0000017ED94B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000003.383899245.0000017ED92B2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000002.357859065.0000000000500000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.357859065.0000000000500000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000004.00000003.359030553.0000017ED8C69000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000003.359569400.0000017ED8EE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: MqE1p1WFrf.exe PID: 3648	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
4.3.rundll32.exe.17ed8d50000.9.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
4.3.rundll32.exe.17ed8ee0000.11.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
4.3.rundll32.exe.17ed8d50000.8.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
4.3.rundll32.exe.17ed8e60000.14.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
1.3.MqE1p1WFrf.exe.2830000.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.MqE1p1WFrf.exe.2830000.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.3.rundll32.exe.17ed8ee0000.11.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 2 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN Rhadamanthys Stealer - Data Exfil - Source IP: 192.168.2.5 - Destination IP: 179.43.163.126

Timestamp:	192.168.2.5179.43.163.12649701802853002 01/23/23-21:39:53.428050
SID:	2853002
Source Port:	49701
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Rhadamanthys Stealer - Payload Response - Source IP: 179.43.163.126 - Destination IP: 192.168.2.5

Timestamp:	179.43.163.126192.168.2.580497002853001 01/23/23-21:39:35.293558
SID:	2853001
Source Port:	80
Destination Port:	49700
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Rhadamanthys Stealer - Payload Download Request - Source IP: 192.168.2.5 - Destination IP: 179.43.163.126

Timestamp:	192.168.2.5179.43.163.12649700802043202 01/23/23-21:39:35.266442
SID:	2043202
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: MqE1p1WFrf.exe	ReversingLabs: Detection: 64%
Source: MqE1p1WFrf.exe	Virustotal: Detection: 68%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\nsis_uns60877c.dll	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Roaming\nsis_uns60877c.dll	Virustotal: Detection: 23%			Perma Link

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00007DF471DAC06C CryptUnprotectData,

4_2_00007DF471DAC06C

Source: MqE1p1WFrf.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: wkernel32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.309860796.000000000232F000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.309988464.0000000002450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WINMMBASE.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333673223.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.316124357.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315893635.000000000232D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: MqE1p1WFrf.exe, 00000001.00000003.325515967.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.325224942.000000000232C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wrpcrt4.pdb source: MqE1p1WFrf.exe, 00000001.00000003.319728017.000000000232D000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.320216371.00000000023F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MqE1p1WFrf.exe, 00000001.00000003.309501419.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308672485.0000000002322000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308435345.0000000002321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: MqE1p1WFrf.exe, 00000001.00000003.326445886.00000000020C9000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.326882570.0000000002270000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.363854408.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wwin32u.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.314431146.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320524869.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: setupapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.339607068.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.335892894.0000000002649000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wgdi32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314477899.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.331563420.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wsspicli.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320396311.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: winmm.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333316141.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.326182710.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wrpcrt4.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.319728017.000000000232D000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.320216371.00000000023F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdb source: MqE1p1WFrf.exe, 00000001.00000003.315606867.0000000002182000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315705538.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wgdi32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.314477899.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wimm32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333746453.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mpr.pdb source: MqE1p1WFrf.exe, 00000001.00000003.341772259.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wsspicli.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.320396311.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wwin32u.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314431146.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: setupapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.339607068.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.335892894.0000000002649000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: rundll32.exe, 00000004.00000003.358705595.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.317707376.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316782050.0000000002640000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.316124357.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315893635.000000000232D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shell32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wimm32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333746453.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WINMMBASE.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333673223.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wgdi32full.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.314533170.00000000023A7000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315108088.00000000026BC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332804586.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.378529171.0000017ED6FE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdbUGP source: rundll32.exe, 00000004.00000003.358705595.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.334391183.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wgdi32full.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314533170.00000000023A7000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315108088.00000000026BC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shcore.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.326445886.00000000020C9000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.326882570.0000000002270000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.363854408.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mpr.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.341772259.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320596267.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.309501419.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308672485.0000000002322000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308435345.0000000002321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ole32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.316556327.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316355611.0000000002325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winmm.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333316141.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332966854.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332966854.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wmswsock.pdb source: MqE1p1WFrf.exe, 00000001.00000003.349736272.0000000002184000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.341846355.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.329395162.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312105202.0000000002270000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.316556327.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316355611.0000000002325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.309860796.000000000232F000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.309988464.0000000002450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320596267.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.315606867.0000000002182000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315705538.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.331563420.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.334011206.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.333783737.000000000232C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.326182710.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320524869.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.317707376.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316782050.0000000002640000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdb source: MqE1p1WFrf.exe, 00000001.00000003.329395162.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ApplicationFrameWindowWindows.Foundation.Collections.IIterator`1<IUnknown>Windows.Foundation.Collections.IVectorView`1<IUnknown>Windows.Foundation.Collections.IVector`1<IUnknown>@%SystemRoot%\System32\SettingSyncCore.dll,-1024internal\onecoreuapshell\private\inc\shouldswitchtodesktop.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000BasicPropertiesDocumentPropertiesImagePropertiesVideoPropertiesMusicPropertiesRenameAsyncOverloadDefaultOptionsRenameAsyncIStorageItem2GetParentAsyncIsEqualGetThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetThumbnailAsyncOverloadDefaultOptionsget_DisplayNameIStorageItemProperties2GetScaledImageAsThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetScaledImageAsThumbnailAsyncOverloadDefaultOptionsGetScaledImageAsThumbnailAsyncIStorageItemPropertiesWithProviderget_ProviderIStorageItemThumbnailAccessPrivGetScaledImageOrThumbnailAsyncIStorageItemHandleAcccessOpenAsyncPrivatePauseDeferredUpdateSetStreamedFileCallbackGetStreamedFileCallbackGetSpecialInternalPropertySetSpecialInternalPropertyCreateTempFileInSameLocationCopyOverloadDefaultOptionsCopyOverloadCopyAndReplaceAsyncMoveOverloadDefaultNameAndOptionsWindows.Security.EnterpriseData.FileProtectionManagerMoveOverloadDefaultOptionsoptionsCreateFolderAsyncOverloadDefaultOptionsGetItemAsyncGetItemsAsyncOverloadDefaultStartAndCountCreateFileQueryOverloadDefaultCreateFileQueryCreateFolderQueryOverloadDefaultCreateFolderQueryCreateFolderQueryWithOptionsCreateItemQueryWithOptionsGetFilesAsyncOverloadDefaultStartAndCountGetFoldersAsyncOverloadDefaultStartAndCountget_MusicLibraryget_HomeGroupget_RemovableDevicesget_MediaServerDevicesget_Playlistsget_SavedPicturesget_Objects3Dget_AppCapturesget_RecordedCallsGetFolderForUserAsyncget_ApplicationDataSharedLocalGetPublisherCacheFolderGetApplicationDataFolderForUserGetPublisherCacheFolderForUserknownfolder:{AB5FB87B-7CE2-4F83-915D-550846C9537B}knownfolder:{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}knownfolder:{1C2AC1DC-4358-4B6C-9733-AF21156576F0}knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}knownfolder:{374DE290-123F-4565-9164-39C4925E467B}knownfolder:{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43}knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB}knownfolder:{AE50C081-EBD2-438A-8655-8A092E34987A}knownfolder:{C870044B-F49E-4126-A9C3-B52A1FF411E8}knownfolder:{3B193882-D3AD-4eab-965A-69829D1FB59F}knownfolder:{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC}get_Langua
Source:	Binary string: profapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332804586.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.378529171.0000017ED6FE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wmswsock.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.349736272.0000000002184000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.341846355.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.334011206.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.333783737.000000000232C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdb source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312105202.0000000002270000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.334391183.00000000020C0000.00000004.00001000.00020000.00000000.sdmp

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
MqE1p1WFrf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MqE1p1WFrf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Windows Analysis Report
MqE1p1WFrf.exe