Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:800802
MD5:546a040e4479958f7c6b862dead9a269
SHA1:69a99c8f2fbfc316140690be348d6b54d6c01d7d
SHA256:229d8701db31564e7eccab699121e96fe75d70896daa87323e9c59da3be74be0
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected Tofsee
Uses netsh to modify the Windows network and firewall settings
Query firmware table information (likely to detect VMs)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Writes to foreign memory regions
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Modifies the windows firewall
Found decision node followed by non-executed suspicious APIs
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Modifies existing windows services
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Creates files inside the system directory
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Uses SMTP (mail sending)
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Queries disk information (often used to detect virtual machines)
Contains functionality to query network adapater information

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5128 cmdline: C:\Users\user\Desktop\file.exe MD5: 546A040E4479958F7C6B862DEAD9A269)
    • cmd.exe (PID: 3076 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htdzdeug\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2432 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qbxctmyn.exe" C:\Windows\SysWOW64\htdzdeug\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 1020 cmdline: C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)
      • conhost.exe (PID: 5036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 5828 cmdline: C:\Windows\System32\sc.exe" description htdzdeug "wifi internet conection MD5: 24A3E2603E63BCB9695A2935D3B24695)
      • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 3108 cmdline: "C:\Windows\System32\sc.exe" start htdzdeug MD5: 24A3E2603E63BCB9695A2935D3B24695)
      • conhost.exe (PID: 4952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 5864 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 4844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6120 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3592 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5064 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5400 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1764 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 1652 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • qbxctmyn.exe (PID: 4532 cmdline: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d"C:\Users\user\Desktop\file.exe" MD5: D83D3102AEE8419201BF810DE2A41992)
    • svchost.exe (PID: 2888 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
  • svchost.exe (PID: 1328 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2140 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 612 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 1500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 4204 cmdline: c:\windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Tofsee

{"C2 list": ["svartalfheim.top:443", "jotunheim.name:443"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.file.exe.2080e67.1.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        0.2.file.exe.2080e67.1.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
        • 0xed10:$s2: loader_id
        • 0xed40:$s3: start_srv
        • 0xed70:$s4: lid_file_upd
        • 0xed64:$s5: localcfg
        • 0xf494:$s6: Incorrect respons
        • 0xf574:$s7: mx connect error
        • 0xf4f0:$s8: Error sending command (sent = %d/%d)
        • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        0.2.file.exe.2080e67.1.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        17.2.qbxctmyn.exe.e30e67.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xe110:$s2: loader_id
        • 0xe140:$s3: start_srv
        • 0xe170:$s4: lid_file_upd
        • 0xe164:$s5: localcfg
        • 0xe894:$s6: Incorrect respons
        17.2.qbxctmyn.exe.e30e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        Click to see the 39 entries

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:192.168.2.38.8.8.856924532023883 02/07/23-20:05:14.210188
        SID:2023883
        Source Port:56924
        Destination Port:53
        Protocol:UDP
        Classtype:Potentially Bad Traffic
        Timestamp:192.168.2.38.8.8.852387532023883 02/07/23-20:04:33.939091
        SID:2023883
        Source Port:52387
        Destination Port:53
        Protocol:UDP
        Classtype:Potentially Bad Traffic
        Timestamp:192.168.2.38.8.8.860625532023883 02/07/23-20:05:54.726769
        SID:2023883
        Source Port:60625
        Destination Port:53
        Protocol:UDP
        Classtype:Potentially Bad Traffic

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\qbxctmyn.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
        Multi AV Scanner detection for submitted file
        Source: file.exeReversingLabs: Detection: 43%
        Source: file.exeVirustotal: Detection: 34%Perma Link
        Multi AV Scanner detection for domain / URL
        Source: svartalfheim.topVirustotal: Detection: 17%Perma Link
        Machine Learning detection for sample
        Source: file.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\qbxctmyn.exeJoe Sandbox ML: detected
        Source: 17.2.qbxctmyn.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
        Source: 23.2.svchost.exe.120000.0.unpackAvira: Label: BDS/Backdoor.Gen
        Source: 17.2.qbxctmyn.exe.e90000.2.unpackAvira: Label: BDS/Backdoor.Gen
        Source: 0.2.file.exe.2080e67.1.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 0.2.file.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
        Source: 0.3.file.exe.21c0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 17.2.qbxctmyn.exe.e30e67.1.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 17.3.qbxctmyn.exe.e50000.0.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 17.2.qbxctmyn.exe.400000.0.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["svartalfheim.top:443", "jotunheim.name:443"]}

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeUnpacked PE file: 17.2.qbxctmyn.exe.400000.0.unpack
        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
        Source: Binary string: C:\xidiw\reduhorulutufa\nidegiv_naxose.pdb source: file.exe, qbxctmyn.exe.0.dr
        Source: Binary string: WaaSMedicSvc.pdb source: waasmedic.20230208_040427_786.etl.22.dr
        Source: Binary string: *C:\xidiw\reduhorulutufa\nidegiv_naxose.pdb source: file.exe, qbxctmyn.exe.0.dr

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeDomain query: svartalfheim.top
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 176.124.192.220 443
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25
        Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:52387 -> 8.8.8.8:53
        Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:56924 -> 8.8.8.8:53
        Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:60625 -> 8.8.8.8:53
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: svartalfheim.top:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewASN Name: GULFSTREAMUA GULFSTREAMUA
        Source: Joe Sandbox ViewIP Address: 176.124.192.220 176.124.192.220
        Source: Joe Sandbox ViewIP Address: 176.124.192.220 176.124.192.220
        Source: global trafficTCP traffic: 192.168.2.3:49703 -> 104.47.54.36:25
        Source: svchost.exe, 0000000B.00000002.309310506.00000189DAC13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
        Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
        Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
        Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
        Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
        Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
        Source: svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
        Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
        Source: svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
        Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
        Source: svchost.exe, 0000000B.00000003.309061387.00000189DAC50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309440269.00000189DAC56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
        Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
        Source: svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
        Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
        Source: svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309380373.00000189DAC42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
        Source: svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309380373.00000189DAC42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
        Source: svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
        Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
        Source: svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
        Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
        Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
        Source: svchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
        Source: svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
        Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
        Source: svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
        Source: svchost.exe, 0000000B.00000002.309310506.00000189DAC13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
        Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
        Source: svchost.exe, 0000000B.00000003.309037099.00000189DAC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
        Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
        Source: svchost.exe, 0000000B.00000002.309364718.00000189DAC39000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
        Source: svchost.exe, 0000000B.00000003.309061387.00000189DAC50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309440269.00000189DAC56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
        Source: unknownDNS traffic detected: queries for: microsoft-com.mail.protection.outlook.com
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: file.exe, 00000000.00000002.289843511.00000000007A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5128, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: qbxctmyn.exe PID: 4532, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2888, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.qbxctmyn.exe.e30e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.qbxctmyn.exe.e30e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.3.qbxctmyn.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.3.qbxctmyn.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.file.exe.21c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.file.exe.21c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.file.exe.2080e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.file.exe.2080e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.290625632.00000000007B6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000011.00000002.310684388.00000000005B1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C913
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeCode function: 17_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0012C913
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,
        Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dll
        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.qbxctmyn.exe.e30e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.qbxctmyn.exe.e30e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.3.qbxctmyn.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.3.qbxctmyn.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.file.exe.21c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.file.exe.21c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.file.exe.2080e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.file.exe.2080e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.290625632.00000000007B6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000011.00000002.310684388.00000000005B1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\htdzdeug\Jump to behavior
        Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Users\user\Desktop\file.exeCode function: String function: 020827AB appears 35 times
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,
        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
        Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@34/16@5/2
        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeCode function: 17_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00129A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
        Source: file.exeReversingLabs: Detection: 43%
        Source: file.exeVirustotal: Detection: 34%
        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htdzdeug\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qbxctmyn.exe" C:\Windows\SysWOW64\htdzdeug\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description htdzdeug "wifi internet conection
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start htdzdeug
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d"C:\Users\user\Desktop\file.exe"
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p
        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htdzdeug\
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qbxctmyn.exe" C:\Windows\SysWOW64\htdzdeug\
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description htdzdeug "wifi internet conection
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start htdzdeug
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\qbxctmyn.exeJump to behavior
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B9EA4 CreateToolhelp32Snapshot,Module32First,
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5036:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1500:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4844:120:WilError_01
        Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: C:\xidiw\reduhorulutufa\nidegiv_naxose.pdb source: file.exe, qbxctmyn.exe.0.dr
        Source: Binary string: WaaSMedicSvc.pdb source: waasmedic.20230208_040427_786.etl.22.dr
        Source: Binary string: *C:\xidiw\reduhorulutufa\nidegiv_naxose.pdb source: file.exe, qbxctmyn.exe.0.dr

        Data Obfuscation

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeUnpacked PE file: 17.2.qbxctmyn.exe.400000.0.unpack
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeUnpacked PE file: 17.2.qbxctmyn.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BD18C push 0000002Bh; iretd
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,

        Persistence and Installation Behavior

        barindex
        Drops executables to the windows directory (C:\Windows) and starts them
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe
        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\qbxctmyn.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\htdzdeugJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

        Hooking and other Techniques for Hiding and Protection

        barindex
        Deletes itself after installation
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\file.exeJump to behavior
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX

        Malware Analysis System Evasion

        barindex
        Query firmware table information (likely to detect VMs)
        Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformation
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
        Source: C:\Users\user\Desktop\file.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
        Source: C:\Windows\SysWOW64\svchost.exe TID: 5100Thread sleep count: 93 > 30
        Source: C:\Windows\SysWOW64\svchost.exe TID: 5100Thread sleep time: -93000s >= -30000s
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
        Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
        Source: C:\Users\user\Desktop\file.exeAPI coverage: 5.5 %
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeAPI coverage: 3.8 %
        Source: C:\Users\user\Desktop\file.exeEvaded block: after key decision
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeEvaded block: after key decision
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decision
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,
        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end node
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeAPI call chain: ExitProcess graph end node
        Source: svchost.exe, 00000014.00000002.531851789.0000027EFA7AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
        Source: svchost.exe, 00000014.00000002.531361159.0000027EF9E89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware820ES
        Source: svchost.exe, 00000014.00000002.531851789.0000027EFA7AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware7,1
        Source: svchost.exe, 00000001.00000002.530944246.000001A573402000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
        Source: svchost.exe, 00000014.00000002.531361159.0000027EF9E89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware8
        Source: svchost.exe, 00000001.00000002.531072410.000001A573428000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.531375972.0000028763264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.531173272.0000021B36029000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B9781 push dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0208092B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02080D90 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeCode function: 17_2_00E3092B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeCode function: 17_2_00E30D90 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeCode function: 17_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00129A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeDomain query: svartalfheim.top
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 176.124.192.220 443
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25
        Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
        Allocates memory in foreign processes
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 120000 protect: page execute and read and write
        Injects a PE file into a foreign processes
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 120000 value starts with: 4D5A
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 120000
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3D6008
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htdzdeug\
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qbxctmyn.exe" C:\Windows\SysWOW64\htdzdeug\
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description htdzdeug "wifi internet conection
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start htdzdeug
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,
        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Changes security center settings (notifications, updates, antivirus, firewall)
        Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
        Modifies the windows firewall
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
        Source: svchost.exe, 00000014.00000002.531860154.0000027EFA7BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
        Source: svchost.exe, 00000014.00000002.531813562.0000027EFA76C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
        Source: svchost.exe, 00000015.00000002.531091256.000002142EE29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.531270706.000002142EF02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

        Stealing of Sensitive Information

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5128, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: qbxctmyn.exe PID: 4532, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2888, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5128, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: qbxctmyn.exe PID: 4532, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2888, type: MEMORYSTR
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeCode function: 17_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_001288B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        1
        Valid Accounts        		1
        Windows Management Instrumentation        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		3
        Disable or Modify Tools        		1
        Input Capture        		2
        System Time Discovery        		Remote Services1
        Archive Collected Data        		Exfiltration Over Other Network Medium1
        Ingress Tool Transfer        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts41
        Native API        		1
        Valid Accounts        		1
        Valid Accounts        		1
        Deobfuscate/Decode Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop Protocol1
        Input Capture        		Exfiltration Over Bluetooth12
        Encrypted Channel        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain Accounts2
        Command and Scripting Interpreter        		14
        Windows Service        		1
        Access Token Manipulation        		2
        Obfuscated Files or Information        		Security Account Manager1
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local Accounts3
        Service Execution        		Logon Script (Mac)14
        Windows Service        		21
        Software Packing        		NTDS25
        System Information Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer112
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon Script412
        Process Injection        		1
        DLL Side-Loading        		LSA Secrets141
        Security Software Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        File Deletion        		Cached Domain Credentials12
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items121
        Masquerading        		DCSync1
        Process Discovery        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
        Valid Accounts        		Proc Filesystem1
        System Owner/User Discovery        		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)12
        Virtualization/Sandbox Evasion        		/etc/passwd and /etc/shadow1
        Remote System Discovery        		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
        Access Token Manipulation        		Network Sniffing1
        System Network Configuration Discovery        		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
        Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron412
        Process Injection        		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 800802 Sample: file.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 51 microsoft-com.mail.protection.outlook.com 2->51 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 7 other signatures 2->63 8 qbxctmyn.exe 2->8         started        11 file.exe 2 2->11         started        14 svchost.exe 2->14         started        16 8 other processes 2->16 signatures3 process4 file5 69 Detected unpacking (changes PE section rights) 8->69 71 Detected unpacking (overwrites its own PE header) 8->71 73 Writes to foreign memory regions 8->73 83 2 other signatures 8->83 18 svchost.exe 1 8->18         started        49 C:\Users\user\AppData\Local\...\qbxctmyn.exe, PE32 11->49 dropped 75 Uses netsh to modify the Windows network and firewall settings 11->75 77 Modifies the windows firewall 11->77 22 cmd.exe 1 11->22         started        25 netsh.exe 3 11->25         started        27 cmd.exe 2 11->27         started        31 3 other processes 11->31 79 Changes security center settings (notifications, updates, antivirus, firewall) 14->79 29 MpCmdRun.exe 1 14->29         started        81 Query firmware table information (likely to detect VMs) 16->81 signatures6 process7 dnsIp8 53 svartalfheim.top 176.124.192.220, 443, 49704, 49705 GULFSTREAMUA Russian Federation 18->53 55 microsoft-com.mail.protection.outlook.com 104.47.54.36, 25, 49703 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->55 65 System process connects to network (likely due to code injection or exploit) 18->65 67 Deletes itself after installation 18->67 47 C:\Windows\SysWOW64\...\qbxctmyn.exe (copy), PE32 22->47 dropped 33 conhost.exe 22->33         started        35 conhost.exe 25->35         started        37 conhost.exe 27->37         started        39 conhost.exe 29->39         started        41 conhost.exe 31->41         started        43 conhost.exe 31->43         started        45 conhost.exe 31->45         started        file9 signatures10 process11

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        file.exe44%ReversingLabsWin32.Ransomware.Stop
        file.exe34%VirustotalBrowse
        file.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\qbxctmyn.exe100%AviraTR/Crypt.XPACK.Gen
        C:\Users\user\AppData\Local\Temp\qbxctmyn.exe100%Joe Sandbox ML

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        17.2.qbxctmyn.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
        23.2.svchost.exe.120000.0.unpack100%AviraBDS/Backdoor.GenDownload File
        17.2.qbxctmyn.exe.e90000.2.unpack100%AviraBDS/Backdoor.GenDownload File
        0.2.file.exe.2080e67.1.unpack100%AviraTR/Patched.Ren.GenDownload File
        23.3.svchost.exe.649000.1.unpack100%AviraHEUR/AGEN.1253311Download File
        23.3.svchost.exe.649000.2.unpack100%AviraHEUR/AGEN.1253311Download File
        23.3.svchost.exe.649000.4.unpack100%AviraHEUR/AGEN.1253311Download File
        23.3.svchost.exe.649000.3.unpack100%AviraHEUR/AGEN.1253311Download File
        0.2.file.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
        0.3.file.exe.21c0000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
        17.2.qbxctmyn.exe.e30e67.1.unpack100%AviraTR/Patched.Ren.GenDownload File
        17.3.qbxctmyn.exe.e50000.0.unpack100%AviraTR/Patched.Ren.GenDownload File

        Domains

        SourceDetectionScannerLabelLink
        svartalfheim.top18%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        https://%s.xboxlive.com0%URL Reputationsafe
        jotunheim.name:4430%URL Reputationsafe
        https://dynamic.t0%URL Reputationsafe
        svartalfheim.top:4430%URL Reputationsafe
        https://%s.dnet.xboxlive.com0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        svartalfheim.top
        		176.124.192.220
        		truetrueunknown
        microsoft-com.mail.protection.outlook.com
        		104.47.54.36
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          jotunheim.name:443true
          • URL Reputation: safe
          		unknown
          svartalfheim.top:443true
          • URL Reputation: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000B.00000003.309037099.00000189DAC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000B.00000003.309061387.00000189DAC50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309440269.00000189DAC56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000B.00000002.309310506.00000189DAC13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309380373.00000189DAC42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://%s.xboxlive.comsvchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		low
                                      https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000B.00000003.309061387.00000189DAC50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309440269.00000189DAC56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309380373.00000189DAC42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://dynamic.tsvchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000B.00000002.309364718.00000189DAC39000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://activity.windows.comsvchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.bingmapsportal.comsvchost.exe, 0000000B.00000002.309310506.00000189DAC13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://%s.dnet.xboxlive.comsvchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		low
                                                                          https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              176.124.192.220
                                                                              		svartalfheim.topRussian Federation
                                                                              		59652GULFSTREAMUAtrue
                                                                              104.47.54.36
                                                                              		microsoft-com.mail.protection.outlook.comUnited States
                                                                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                              General Information

                                                                              Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                              Analysis ID:800802
                                                                              Start date and time:2023-02-07 20:03:06 +01:00
                                                                              Joe Sandbox Product:CloudBasic
                                                                              Overall analysis duration:0h 10m 12s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:light
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                              Number of analysed new started processes analysed:26
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • HDC enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample file name:file.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.troj.evad.winEXE@34/16@5/2
                                                                              EGA Information:
                                                                              • Successful, ratio: 100%
                                                                              HDC Information:
                                                                              • Successful, ratio: 49.5% (good quality ratio 47.1%)
                                                                              • Quality average: 86.9%
                                                                              • Quality standard deviation: 25.3%
                                                                              HCA Information:
                                                                              • Successful, ratio: 100%
                                                                              • Number of executed functions: 0
                                                                              • Number of non-executed functions: 0
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe

                                                                              Warnings

                                                                              • Excluded IPs from analysis (whitelisted): 20.112.52.29, 20.81.111.85, 20.84.181.62, 20.103.85.33, 20.53.203.50
                                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, microsoft.com
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              20:05:14API Interceptor2x Sleep call for process: svchost.exe modified
                                                                              20:05:29API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              No context

                                                                              Domains

                                                                              No context

                                                                              ASNs

                                                                              No context

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:XML 1.0 document, ASCII text, with very long lines (2494), with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):2494
                                                                              Entropy (8bit):5.2403296958449355
                                                                              Encrypted:false
                                                                              SSDEEP:24:2dS48pX4y/DvKWDkQpyH2YX8ICDKbNRTrxKTBM2JT52YwFPYzKEqXpUfKFkeRupB:cAn/TLtfGgzmQLeUp/B8HoSkC9+TIYAs
                                                                              MD5:BDC008D0C34A85E8B2CF0502871A8D73
                                                                              SHA1:0DBF1368F6D3C401D410BFA69B1A0E1BCBCE2558
                                                                              SHA-256:514AD1AC5994134A6314AD8A504B79EB558775C1E0269F811B1C11F2CF26AD12
                                                                              SHA-512:0D495FCB897BFF1A3530F9F6684770082BC330131B26E263C9E55B04288B6E36F8DFEE9A6B61566809F55DB353C8B35FCF0A8E5D7352307F5DBEBC5A7C9FF8FC
                                                                              Malicious:false
                                                                              Preview:<?xml version="1.0" encoding="UTF-8"?><updateStore><sessionVariables><permanent><AUOptions dataType="3">1</AUOptions><AllowMUUpdateService dataType="3">0</AllowMUUpdateService><AreUpdatesPausedByPolicy dataType="11">False</AreUpdatesPausedByPolicy><AttentionRequiredReason dataType="19">0</AttentionRequiredReason><CurrentState dataType="19">1</CurrentState><FirstScanAttemptTime dataType="21">132399969272148706</FirstScanAttemptTime><FlightEnabled dataType="3">0</FlightEnabled><LastError dataType="19">0</LastError><LastErrorState dataType="19">0</LastErrorState><LastErrorStateType dataType="11">False</LastErrorStateType><LastMeteredScanTime dataType="21">132399969272304939</LastMeteredScanTime><LastScanAttemptTime dataType="21">132399969272148706</LastScanAttemptTime><LastScanDeferredReason dataType="19">1</LastScanDeferredReason><LastScanDeferredTime dataType="21">133051593686244000</LastScanDeferredTime><LastScanFailureError dataType="3">-2147023838</LastScanFailureError><LastScanFailu

                                                                              C:\ProgramData\USOPrivate\UpdateStore\updatestoretemp51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:XML 1.0 document, ASCII text, with very long lines (2494), with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):2494
                                                                              Entropy (8bit):5.2403296958449355
                                                                              Encrypted:false
                                                                              SSDEEP:24:2dS48pX4y/DvKWDkQpyH2YX8ICDKbNRTrxKTBM2JT52YwFPYzKEqXpUfKFkeRupB:cAn/TLtfGgzmQLeUp/B8HoSkC9+TIYAs
                                                                              MD5:BDC008D0C34A85E8B2CF0502871A8D73
                                                                              SHA1:0DBF1368F6D3C401D410BFA69B1A0E1BCBCE2558
                                                                              SHA-256:514AD1AC5994134A6314AD8A504B79EB558775C1E0269F811B1C11F2CF26AD12
                                                                              SHA-512:0D495FCB897BFF1A3530F9F6684770082BC330131B26E263C9E55B04288B6E36F8DFEE9A6B61566809F55DB353C8B35FCF0A8E5D7352307F5DBEBC5A7C9FF8FC
                                                                              Malicious:false
                                                                              Preview:<?xml version="1.0" encoding="UTF-8"?><updateStore><sessionVariables><permanent><AUOptions dataType="3">1</AUOptions><AllowMUUpdateService dataType="3">0</AllowMUUpdateService><AreUpdatesPausedByPolicy dataType="11">False</AreUpdatesPausedByPolicy><AttentionRequiredReason dataType="19">0</AttentionRequiredReason><CurrentState dataType="19">1</CurrentState><FirstScanAttemptTime dataType="21">132399969272148706</FirstScanAttemptTime><FlightEnabled dataType="3">0</FlightEnabled><LastError dataType="19">0</LastError><LastErrorState dataType="19">0</LastErrorState><LastErrorStateType dataType="11">False</LastErrorStateType><LastMeteredScanTime dataType="21">132399969272304939</LastMeteredScanTime><LastScanAttemptTime dataType="21">132399969272148706</LastScanAttemptTime><LastScanDeferredReason dataType="19">1</LastScanDeferredReason><LastScanDeferredTime dataType="21">133051593686244000</LastScanDeferredTime><LastScanFailureError dataType="3">-2147023838</LastScanFailureError><LastScanFailu

                                                                              C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.001.etl (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):8192
                                                                              Entropy (8bit):3.7601426671271163
                                                                              Encrypted:false
                                                                              SSDEEP:96:uoi8itI/ZndZNnAp9Z61zZs4Z5k907HUffZ3AZOX6Z6NZeA3CbZTQZMTkInZLpQ:Zi8ite3NneWpmaXid0eMYiLpQ
                                                                              MD5:4D6F0CCB342CAC8385F7158440CBB800
                                                                              SHA1:7B2187390048610B2C82A361A2E8EEEF0868C21B
                                                                              SHA-256:7C33E7A878DA01E5E1825603194C2C9E0FB8F260B8AB331613C2EB0B327A3864
                                                                              SHA-512:4462E8CCF3268C46377E67F9799A7B01EBA24717B84F8E14C84FCA92F42609D573B1C1D4AE5CDB502C2FA4D1B662C81D8F4BC01EA9F4338D4DF128A3350A3218
                                                                              Malicious:false
                                                                              Preview:................................................................................,...0.....`mr;...................B..............Zb..K....(..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.?...... .......`mr;..........U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.U.S.O.S.h.a.r.e.d.\.L.o.g.s.\.U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n._.T.e.m.p...1...e.t.l.........P.P.,...0....8gmr;..................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration_Temp.1.etl

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):8192
                                                                              Entropy (8bit):3.7601426671271163
                                                                              Encrypted:false
                                                                              SSDEEP:96:uoi8itI/ZndZNnAp9Z61zZs4Z5k907HUffZ3AZOX6Z6NZeA3CbZTQZMTkInZLpQ:Zi8ite3NneWpmaXid0eMYiLpQ
                                                                              MD5:4D6F0CCB342CAC8385F7158440CBB800
                                                                              SHA1:7B2187390048610B2C82A361A2E8EEEF0868C21B
                                                                              SHA-256:7C33E7A878DA01E5E1825603194C2C9E0FB8F260B8AB331613C2EB0B327A3864
                                                                              SHA-512:4462E8CCF3268C46377E67F9799A7B01EBA24717B84F8E14C84FCA92F42609D573B1C1D4AE5CDB502C2FA4D1B662C81D8F4BC01EA9F4338D4DF128A3350A3218
                                                                              Malicious:false
                                                                              Preview:................................................................................,...0.....`mr;...................B..............Zb..K....(..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.?...... .......`mr;..........U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.U.S.O.S.h.a.r.e.d.\.L.o.g.s.\.U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n._.T.e.m.p...1...e.t.l.........P.P.,...0....8gmr;..................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.11004012961626064
                                                                              Encrypted:false
                                                                              SSDEEP:12:26Y3xgXm/Ey6q99950anNq3qQ10nMCldimE8eawHjcogn:26QLl68SagLyMCldzE9BHjcp
                                                                              MD5:5398B5971E6A8C924757AD8450DDDCEA
                                                                              SHA1:2B0B99C436D023DDB496F8549CDA84AF76EEE48A
                                                                              SHA-256:F69C7AEF9BE67BA09D2D8A9673475CEA648ED784A96579B02C0883CA73EB6732
                                                                              SHA-512:F2DD0A29A0C8EBC01C124E0EF7B5B6DC99435C09B631ED0784650C89759E8F71048D4436ED02715A3F2FE3904C00C2132B8468F18D670FD33220FC6D14D93489
                                                                              Malicious:false
                                                                              Preview:........................................................................................j.q......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.?...... ........jr;..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.........I.q.....................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.11249012819257488
                                                                              Encrypted:false
                                                                              SSDEEP:12:MxdlDXm/Ey6q99950aOg1miM3qQ10nMCldimE8eawHza1miIrSd:MvIl68SaX1tMLyMCldzE9BHza1tIC
                                                                              MD5:D1338C24B474F80B9D7A721DDDA3E149
                                                                              SHA1:C726DCA04341646E0453B24CF482077ADCE7DB74
                                                                              SHA-256:6DA48AD356AA520E0FDBE965FD998041401F0C46758DF1ED849DFEB62CC55A15
                                                                              SHA-512:132F97E55880EDBCC5807C5CC41613A64F9BB0D7FBC3B1DE400B6438A8BEC3078D999F319CE27C605879023ADBF5DCDB0C2622E4DCF8C4865643FF61CF1AD349
                                                                              Malicious:false
                                                                              Preview:........................................................................................*_o......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.?...... ......d.jr;..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P..........go.....................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.1125005015962772
                                                                              Encrypted:false
                                                                              SSDEEP:12:MxCnXm/Ey6q99950ap11mK2P3qQ10nMCldimE8eawHza1mK2P:MUWl68SaT1iPLyMCldzE9BHza1I
                                                                              MD5:F7FF3F878EA4E230282D26BD877E2689
                                                                              SHA1:4BC8A22487FA18BFA85E083ADA2C8BAEC128E764
                                                                              SHA-256:E34E59D46F9316AA83FE293A0F1E3A7BE34C3A908DA952B470D97503DF85E9B1
                                                                              SHA-512:41E21EBA179704BCE1BC8B5686B5D372DA9122960BF76919F9ACE30DB677D5C21E00E11599C5C3207ED09FB979BFC29BC4819657FC1C1D28E626B3A333A7C571
                                                                              Malicious:false
                                                                              Preview:..........................................................................................n......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.?...... ......<.jr;..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.........N(n.....................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\qbxctmyn.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\file.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):12343296
                                                                              Entropy (8bit):3.4208454596549234
                                                                              Encrypted:false
                                                                              SSDEEP:6144:4JMjbyLY3DuTsP8d2nQO0o7MFGU15Ts+XAW:4JMjbyM3DW8qQa5TsV
                                                                              MD5:D83D3102AEE8419201BF810DE2A41992
                                                                              SHA1:30EC9FD8B35C5FEC5366FE52C7BF77E57A0C67A2
                                                                              SHA-256:4F8B000276DE586232FC912CDB72B497C305E8E13A8DEF72D3A2B0BA2FB7E0C9
                                                                              SHA-512:F3E9CEF20B8751716F1426DCACDA675F2672F60FF55218CB4A9BEC141A736D2B12E8761BCFC7115CD5F46DF3E5A83F3D399BD110EF37000F31EAEABDAE3BDCA2
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................B.s.....p.....f..............w...a.....q.....t....Rich...........PE..L.....a.....................>......or............@........................................................................l...P...................................@...............................p9..@............................................text............................... ..`.data...0........8..................@....rsrc............ ..................@..@.reloc..n'.......x..................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.11004012961626064
                                                                              Encrypted:false
                                                                              SSDEEP:12:26Y3xgXm/Ey6q99950anNq3qQ10nMCldimE8eawHjcogn:26QLl68SagLyMCldzE9BHjcp
                                                                              MD5:5398B5971E6A8C924757AD8450DDDCEA
                                                                              SHA1:2B0B99C436D023DDB496F8549CDA84AF76EEE48A
                                                                              SHA-256:F69C7AEF9BE67BA09D2D8A9673475CEA648ED784A96579B02C0883CA73EB6732
                                                                              SHA-512:F2DD0A29A0C8EBC01C124E0EF7B5B6DC99435C09B631ED0784650C89759E8F71048D4436ED02715A3F2FE3904C00C2132B8468F18D670FD33220FC6D14D93489
                                                                              Malicious:false
                                                                              Preview:........................................................................................j.q......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.?...... ........jr;..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.........I.q.....................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.11249012819257488
                                                                              Encrypted:false
                                                                              SSDEEP:12:MxdlDXm/Ey6q99950aOg1miM3qQ10nMCldimE8eawHza1miIrSd:MvIl68SaX1tMLyMCldzE9BHza1tIC
                                                                              MD5:D1338C24B474F80B9D7A721DDDA3E149
                                                                              SHA1:C726DCA04341646E0453B24CF482077ADCE7DB74
                                                                              SHA-256:6DA48AD356AA520E0FDBE965FD998041401F0C46758DF1ED849DFEB62CC55A15
                                                                              SHA-512:132F97E55880EDBCC5807C5CC41613A64F9BB0D7FBC3B1DE400B6438A8BEC3078D999F319CE27C605879023ADBF5DCDB0C2622E4DCF8C4865643FF61CF1AD349
                                                                              Malicious:false
                                                                              Preview:........................................................................................*_o......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.?...... ......d.jr;..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P..........go.....................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.1125005015962772
                                                                              Encrypted:false
                                                                              SSDEEP:12:MxCnXm/Ey6q99950ap11mK2P3qQ10nMCldimE8eawHza1mK2P:MUWl68SaT1iPLyMCldzE9BHza1I
                                                                              MD5:F7FF3F878EA4E230282D26BD877E2689
                                                                              SHA1:4BC8A22487FA18BFA85E083ADA2C8BAEC128E764
                                                                              SHA-256:E34E59D46F9316AA83FE293A0F1E3A7BE34C3A908DA952B470D97503DF85E9B1
                                                                              SHA-512:41E21EBA179704BCE1BC8B5686B5D372DA9122960BF76919F9ACE30DB677D5C21E00E11599C5C3207ED09FB979BFC29BC4819657FC1C1D28E626B3A333A7C571
                                                                              Malicious:false
                                                                              Preview:..........................................................................................n......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.?...... ......<.jr;..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.........N(n.....................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Windows\Logs\waasmedic\waasmedic.20230208_040427_786.etl

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):8192
                                                                              Entropy (8bit):2.7367341524723185
                                                                              Encrypted:false
                                                                              SSDEEP:48:31Ir52QWsb7kUub7kE7b7klXb7kib7kbIl9lnb7k0tplKb7k0b7k6b7kwQb7k9O:62k0Uu0g010i0U910ClK00060P09O
                                                                              MD5:ECA63CBE24540409B8D7D26006AFC7E9
                                                                              SHA1:E68668D56F8DE0B218AB8CE1CAEDAB67738758F5
                                                                              SHA-256:C335F94E1135F05A7C9C43DE5836BDBE27F2E434F787D9FC0009F5FAEA226B57
                                                                              SHA-512:C0181EA0EE254E387F50B9526BAF3241AF700955588AC99FBE12105B9D40EFB857CD981C8BF533C6CF777AFF0DFFD62873601A3D2EA9FA96804758436E12F50F
                                                                              Malicious:false
                                                                              Preview:....................................................!...........................4...l............................B.......)..r;..Zb....... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................WW...... .......'pr;..........E.C.C.B.1.7.5.F.-.1.E.B.2.-.4.3.D.A.-.B.F.B.5.-.A.8.D.5.8.A.4.0.A.4.D.7...C.:.\.W.i.n.d.o.w.s.\.l.o.g.s.\.w.a.a.s.m.e.d.i.c.\.w.a.a.s.m.e.d.i.c...2.0.2.3.0.2.0.8._.0.4.0.4.2.7._.7.8.6...e.t.l.............P.P.4...l.......................................................................9.B.........17134.1.amd64fre.rs4_release.180410-1804............5.@.........OYo."(.s..O........WaaSMedicSvc.pdb............................................................................................................................................................................................................................

                                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                              Download File
                                                                              Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                              Category:modified
                                                                              Size (bytes):10874
                                                                              Entropy (8bit):3.1639573047664586
                                                                              Encrypted:false
                                                                              SSDEEP:192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3z5+6I3+zJf+k:j+s+v+b+P+m+0+Q+q+q+73+zB+k
                                                                              MD5:0B770DFFF3F665694BF6BF00027A9FBD
                                                                              SHA1:6012FF2CF0F996B044312A974D75656DCBED702D
                                                                              SHA-256:3B7BA89B0A8AD80E3BEF0616DFF905DA9A50608933FAFC2B76DA22A4B610B6B6
                                                                              SHA-512:A151849ADB59ED84FA413787466E05EA042C7269383B4E24AEB0F4E74E43F4EC33324F90459ACD1BED6ACD30A3F9036D886360480697C24F1EB5A616D1012D08
                                                                              Malicious:false
                                                                              Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

                                                                              C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20230208_040419_207.etl

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):8192
                                                                              Entropy (8bit):3.3870081431882535
                                                                              Encrypted:false
                                                                              SSDEEP:96:oC/2o+oa5Q+97/YzWC9/I2lfikm/441T2IjFzdNMCn6JROY5Y:7uRjuu2g9CC4q
                                                                              MD5:703B2EA8C4DAFDC027C9C239FD4E6F41
                                                                              SHA1:5F826A311D1DA602C058515822326D2DC4B19540
                                                                              SHA-256:13529537165F17E8C7916312AAE8444F013F69CA50F9C5FCBF04539B7085417E
                                                                              SHA-512:31941279367ED33D22B2A84F1E906D263E2DEA3C03C0961962A428957CBD7516AEAFF16EC6A90C35D5600C13B80A98A3355E619BA6AFB2284F888FAA1507709A
                                                                              Malicious:false
                                                                              Preview:.... ... ....................................... ...!...................................{........................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................WW...... ........kr;..........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.3.0.2.0.8._.0.4.0.4.1.9._.2.0.7...e.t.l.........P.P.........{.......................................................................................................................................................................................................................................................................

                                                                              C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe (copy)

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\cmd.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):12343296
                                                                              Entropy (8bit):3.4208454596549234
                                                                              Encrypted:false
                                                                              SSDEEP:6144:4JMjbyLY3DuTsP8d2nQO0o7MFGU15Ts+XAW:4JMjbyM3DW8qQa5TsV
                                                                              MD5:D83D3102AEE8419201BF810DE2A41992
                                                                              SHA1:30EC9FD8B35C5FEC5366FE52C7BF77E57A0C67A2
                                                                              SHA-256:4F8B000276DE586232FC912CDB72B497C305E8E13A8DEF72D3A2B0BA2FB7E0C9
                                                                              SHA-512:F3E9CEF20B8751716F1426DCACDA675F2672F60FF55218CB4A9BEC141A736D2B12E8761BCFC7115CD5F46DF3E5A83F3D399BD110EF37000F31EAEABDAE3BDCA2
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................B.s.....p.....f..............w...a.....q.....t....Rich...........PE..L.....a.....................>......or............@........................................................................l...P...................................@...............................p9..@............................................text............................... ..`.data...0........8..................@....rsrc............ ..................@..@.reloc..n'.......x..................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                              \Device\ConDrv

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\netsh.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):3773
                                                                              Entropy (8bit):4.7109073551842435
                                                                              Encrypted:false
                                                                              SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                              MD5:DA3247A302D70819F10BCEEBAF400503
                                                                              SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                              SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                              SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                              Malicious:false
                                                                              Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):7.033590531786374
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:file.exe
                                                                              File size:198656
                                                                              MD5:546a040e4479958f7c6b862dead9a269
                                                                              SHA1:69a99c8f2fbfc316140690be348d6b54d6c01d7d
                                                                              SHA256:229d8701db31564e7eccab699121e96fe75d70896daa87323e9c59da3be74be0
                                                                              SHA512:459623eced397b36d3bbb5fa01d78789a172f16c72bffaa58f7ffda59ce3378f2c5a4c8e4c7f1a3864ac6469c0c3e51b5cab21ed10f22d2c379e5bb893a84f0b
                                                                              SSDEEP:6144:1JMjbyLY3DuTsP8d2nQO0o7MFGU15Ts+XAW:1JMjbyM3DW8qQa5TsV
                                                                              TLSH:8F14CF323A90C072C17B15745C64DAA56BBEB83046B9C9BB776807BE4F306D1523A37B
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................B.s.......p.......f.................w.....a.......q.......t.....Rich............PE..L......a...................

                                                                              File Icon

                                                                              Icon Hash:70d0eeeacacaeadd

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x40726f
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                              DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x61B896C8 [Tue Dec 14 13:06:16 2021 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:5
                                                                              OS Version Minor:0
                                                                              File Version Major:5
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:5
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:87e1f4e32d01d5a52e605f27fd138118

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              call 00007F13A86C951Ch
                                                                              jmp 00007F13A86C2E8Eh
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              mov ecx, dword ptr [esp+04h]
                                                                              test ecx, 00000003h
                                                                              je 00007F13A86C3036h
                                                                              mov al, byte ptr [ecx]
                                                                              add ecx, 01h
                                                                              test al, al
                                                                              je 00007F13A86C3060h
                                                                              test ecx, 00000003h
                                                                              jne 00007F13A86C3001h
                                                                              add eax, 00000000h
                                                                              lea esp, dword ptr [esp+00000000h]
                                                                              lea esp, dword ptr [esp+00000000h]
                                                                              mov eax, dword ptr [ecx]
                                                                              mov edx, 7EFEFEFFh
                                                                              add edx, eax
                                                                              xor eax, FFFFFFFFh
                                                                              xor eax, edx
                                                                              add ecx, 04h
                                                                              test eax, 81010100h
                                                                              je 00007F13A86C2FFAh
                                                                              mov eax, dword ptr [ecx-04h]
                                                                              test al, al
                                                                              je 00007F13A86C3044h
                                                                              test ah, ah
                                                                              je 00007F13A86C3036h
                                                                              test eax, 00FF0000h
                                                                              je 00007F13A86C3025h
                                                                              test eax, FF000000h
                                                                              je 00007F13A86C3014h
                                                                              jmp 00007F13A86C2FDFh
                                                                              lea eax, dword ptr [ecx-01h]
                                                                              mov ecx, dword ptr [esp+04h]
                                                                              sub eax, ecx
                                                                              ret
                                                                              lea eax, dword ptr [ecx-02h]
                                                                              mov ecx, dword ptr [esp+04h]
                                                                              sub eax, ecx
                                                                              ret
                                                                              lea eax, dword ptr [ecx-03h]
                                                                              mov ecx, dword ptr [esp+04h]
                                                                              sub eax, ecx
                                                                              ret
                                                                              lea eax, dword ptr [ecx-04h]
                                                                              mov ecx, dword ptr [esp+04h]
                                                                              sub eax, ecx
                                                                              ret
                                                                              cmp ecx, dword ptr [0042C320h]
                                                                              jne 00007F13A86C3014h
                                                                              rep ret
                                                                              jmp 00007F13A86C950Ch
                                                                              push eax
                                                                              push dword ptr fs:[00000000h]
                                                                              lea eax, dword ptr [esp+0Ch]
                                                                              sub esp, dword ptr [esp+0Ch]
                                                                              push ebx
                                                                              push esi
                                                                              push edi
                                                                              mov dword ptr [eax], ebp
                                                                              mov ebp, eax
                                                                              mov eax, dword ptr [0042C320h]

                                                                              Rich Headers

                                                                              Programming Language:
                                                                              • [ASM] VS2008 build 21022
                                                                              • [ C ] VS2008 build 21022
                                                                              • [IMP] VS2005 build 50727
                                                                              • [C++] VS2008 build 21022
                                                                              • [RES] VS2008 build 21022
                                                                              • [LNK] VS2008 build 21022

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1876c0x50.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x15a0000x1ee8.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x15c0000xf10.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x12400x1c.text
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x39700x40.text
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x10000x1f4.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x1831a0x18400False0.5320050740979382data6.368267998766109IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .data0x1a0000x13f4300x13800False0.9405548878205128data7.828510878154685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rsrc0x15a0000x1ee80x2000False0.6080322265625data5.762900764852552IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x15c0000x276e0x2800False0.32080078125data3.3362844081949086IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountry
                                                                              RT_ICON0x15a1c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TibetanTibet
                                                                              RT_ICON0x15a1c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TibetanNepal
                                                                              RT_ICON0x15a1c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TibetanIndia
                                                                              RT_ICON0x15aa680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TibetanTibet
                                                                              RT_ICON0x15aa680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TibetanNepal
                                                                              RT_ICON0x15aa680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TibetanIndia
                                                                              RT_STRING0x15bd900x4edataTibetanTibet
                                                                              RT_STRING0x15bd900x4edataTibetanNepal
                                                                              RT_STRING0x15bd900x4edataTibetanIndia
                                                                              RT_STRING0x15bde00x50dataTibetanTibet
                                                                              RT_STRING0x15bde00x50dataTibetanNepal
                                                                              RT_STRING0x15bde00x50dataTibetanIndia
                                                                              RT_STRING0x15be300xb6dataTibetanTibet
                                                                              RT_STRING0x15be300xb6dataTibetanNepal
                                                                              RT_STRING0x15be300xb6dataTibetanIndia
                                                                              RT_GROUP_ICON0x15bb100x22dataTibetanTibet
                                                                              RT_GROUP_ICON0x15bb100x22dataTibetanNepal
                                                                              RT_GROUP_ICON0x15bb100x22dataTibetanIndia
                                                                              RT_VERSION0x15bb380x258data

                                                                              Imports

                                                                              DLLImport
                                                                              KERNEL32.dllRequestWakeupLatency, CreateFileA, FindActCtxSectionStringA, WriteConsoleInputA, ClearCommBreak, WriteFile, FindFirstVolumeMountPointW, CreateDirectoryExA, LocalSize, WaitForMultipleObjects, ReadConsoleInputA, GetProcessId, FreeUserPhysicalPages, WriteConsoleOutputAttribute, DebugActiveProcessStop, GetLocaleInfoW, GetProcAddress, LocalAlloc, GetCommandLineW, GetBinaryTypeW, InterlockedExchange, OpenMutexW, GetConsoleTitleA, SearchPathA, FreeConsole, EndUpdateResourceA, GetLastError, GetProfileSectionA, SetConsoleCursorInfo, GetConsoleAliasW, CreateSemaphoreA, GlobalFlags, GetConsoleAliasesLengthA, FindResourceW, SetVolumeMountPointW, GetModuleHandleW, HeapAlloc, GetComputerNameA, GetCurrentProcessId, CreateNamedPipeA, EnumResourceLanguagesA, SetHandleInformation, _hwrite, CreateActCtxA, DeleteVolumeMountPointA, MoveFileWithProgressA, AddRefActCtx, WritePrivateProfileStringA, GetUserDefaultLangID, QueryMemoryResourceNotification, WaitForSingleObject, GetLongPathNameW, InterlockedDecrement, VerifyVersionInfoA, EnumCalendarInfoW, FindNextFileW, EnumTimeFormatsA, SetLastError, SetCriticalSectionSpinCount, WritePrivateProfileSectionA, LoadLibraryA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RaiseException, RtlUnwind, HeapFree, DeleteFileA, GetStartupInfoW, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, InitializeCriticalSectionAndSpinCount, WideCharToMultiByte, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle
                                                                              USER32.dllGetComboBoxInfo
                                                                              GDI32.dllGetTextFaceW

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              TibetanTibet
                                                                              TibetanNepal
                                                                              TibetanIndia

                                                                              Network Behavior

                                                                              Snort IDS Alerts

                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                              192.168.2.38.8.8.856924532023883 02/07/23-20:05:14.210188UDP2023883ET DNS Query to a *.top domain - Likely Hostile5692453192.168.2.38.8.8.8
                                                                              192.168.2.38.8.8.852387532023883 02/07/23-20:04:33.939091UDP2023883ET DNS Query to a *.top domain - Likely Hostile5238753192.168.2.38.8.8.8
                                                                              192.168.2.38.8.8.860625532023883 02/07/23-20:05:54.726769UDP2023883ET DNS Query to a *.top domain - Likely Hostile6062553192.168.2.38.8.8.8

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Feb 7, 2023 20:04:31.294190884 CET4970325192.168.2.3104.47.54.36
                                                                              Feb 7, 2023 20:04:31.428320885 CET2549703104.47.54.36192.168.2.3
                                                                              Feb 7, 2023 20:04:31.428772926 CET4970325192.168.2.3104.47.54.36
                                                                              Feb 7, 2023 20:04:31.429225922 CET4970325192.168.2.3104.47.54.36
                                                                              Feb 7, 2023 20:04:31.562918901 CET2549703104.47.54.36192.168.2.3
                                                                              Feb 7, 2023 20:04:31.565531969 CET2549703104.47.54.36192.168.2.3
                                                                              Feb 7, 2023 20:04:31.565643072 CET4970325192.168.2.3104.47.54.36
                                                                              Feb 7, 2023 20:04:31.566819906 CET2549703104.47.54.36192.168.2.3
                                                                              Feb 7, 2023 20:04:31.566896915 CET4970325192.168.2.3104.47.54.36
                                                                              Feb 7, 2023 20:04:34.049882889 CET49704443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:04:34.049942017 CET44349704176.124.192.220192.168.2.3
                                                                              Feb 7, 2023 20:04:34.050019979 CET49704443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:05:14.064105988 CET49704443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:05:14.064233065 CET44349704176.124.192.220192.168.2.3
                                                                              Feb 7, 2023 20:05:14.064335108 CET49704443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:05:14.562938929 CET49705443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:05:14.562999964 CET44349705176.124.192.220192.168.2.3
                                                                              Feb 7, 2023 20:05:14.563118935 CET49705443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:05:54.581402063 CET49705443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:05:54.581485033 CET44349705176.124.192.220192.168.2.3
                                                                              Feb 7, 2023 20:05:54.581589937 CET49705443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:05:55.068969965 CET49706443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:05:55.069030046 CET44349706176.124.192.220192.168.2.3
                                                                              Feb 7, 2023 20:05:55.069097042 CET49706443192.168.2.3176.124.192.220

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Feb 7, 2023 20:04:31.258358002 CET5799053192.168.2.38.8.8.8
                                                                              Feb 7, 2023 20:04:31.288695097 CET53579908.8.8.8192.168.2.3
                                                                              Feb 7, 2023 20:04:33.939090967 CET5238753192.168.2.38.8.8.8
                                                                              Feb 7, 2023 20:04:34.046056986 CET53523878.8.8.8192.168.2.3
                                                                              Feb 7, 2023 20:05:14.210187912 CET5692453192.168.2.38.8.8.8
                                                                              Feb 7, 2023 20:05:14.561336040 CET53569248.8.8.8192.168.2.3
                                                                              Feb 7, 2023 20:05:54.726768970 CET6062553192.168.2.38.8.8.8
                                                                              Feb 7, 2023 20:05:55.066458941 CET53606258.8.8.8192.168.2.3
                                                                              Feb 7, 2023 20:06:14.241579056 CET5113953192.168.2.38.8.8.8
                                                                              Feb 7, 2023 20:06:14.387082100 CET53511398.8.8.8192.168.2.3

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Feb 7, 2023 20:04:31.258358002 CET192.168.2.38.8.8.80x9480Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:04:33.939090967 CET192.168.2.38.8.8.80xfd45Standard query (0)svartalfheim.topA (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:05:14.210187912 CET192.168.2.38.8.8.80x9585Standard query (0)svartalfheim.topA (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:05:54.726768970 CET192.168.2.38.8.8.80xc103Standard query (0)svartalfheim.topA (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:06:14.241579056 CET192.168.2.38.8.8.80x64c0Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Feb 7, 2023 20:04:31.288695097 CET8.8.8.8192.168.2.30x9480No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:04:31.288695097 CET8.8.8.8192.168.2.30x9480No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:04:31.288695097 CET8.8.8.8192.168.2.30x9480No error (0)microsoft-com.mail.protection.outlook.com52.101.40.29A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:04:31.288695097 CET8.8.8.8192.168.2.30x9480No error (0)microsoft-com.mail.protection.outlook.com40.93.207.2A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:04:31.288695097 CET8.8.8.8192.168.2.30x9480No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:04:34.046056986 CET8.8.8.8192.168.2.30xfd45No error (0)svartalfheim.top176.124.192.220A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:05:14.561336040 CET8.8.8.8192.168.2.30x9585No error (0)svartalfheim.top176.124.192.220A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:05:55.066458941 CET8.8.8.8192.168.2.30xc103No error (0)svartalfheim.top176.124.192.220A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:06:14.387082100 CET8.8.8.8192.168.2.30x64c0No error (0)microsoft-com.mail.protection.outlook.com40.93.207.2A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:06:14.387082100 CET8.8.8.8192.168.2.30x64c0No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:06:14.387082100 CET8.8.8.8192.168.2.30x64c0No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:06:14.387082100 CET8.8.8.8192.168.2.30x64c0No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:06:14.387082100 CET8.8.8.8192.168.2.30x64c0No error (0)microsoft-com.mail.protection.outlook.com52.101.40.29A (IP address)IN (0x0001)false

                                                                              SMTP Packets

                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                              Feb 7, 2023 20:04:31.565531969 CET2549703104.47.54.36192.168.2.3220 DM3NAM06FT007.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Tue, 7 Feb 2023 19:04:30 +0000

                                                                              Statistics

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:20:04:09
                                                                              Start date:07/02/2023
                                                                              Path:C:\Users\user\Desktop\file.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\file.exe
                                                                              Imagebase:0x400000
                                                                              File size:198656 bytes
                                                                              MD5 hash:546A040E4479958F7C6B862DEAD9A269
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.290625632.00000000007B6000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:1
                                                                              Start time:20:04:17
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                              Imagebase:0x7ff651c80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:2
                                                                              Start time:20:04:17
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                              Imagebase:0x7ff651c80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:3
                                                                              Start time:20:04:17
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htdzdeug\
                                                                              Imagebase:0xb0000
                                                                              File size:232960 bytes
                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:4
                                                                              Start time:20:04:17
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff745070000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:5
                                                                              Start time:20:04:18
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                              Imagebase:0x7ff651c80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:6
                                                                              Start time:20:04:18
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qbxctmyn.exe" C:\Windows\SysWOW64\htdzdeug\
                                                                              Imagebase:0xb0000
                                                                              File size:232960 bytes
                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:7
                                                                              Start time:20:04:18
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff745070000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:8
                                                                              Start time:20:04:18
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                              Imagebase:0x7ff651c80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:9
                                                                              Start time:20:04:19
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\SysWOW64\sc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
                                                                              Imagebase:0xca0000
                                                                              File size:60928 bytes
                                                                              MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:10
                                                                              Start time:20:04:19
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff745070000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:11
                                                                              Start time:20:04:19
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                              Imagebase:0x7ff651c80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:12
                                                                              Start time:20:04:19
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\SysWOW64\sc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\System32\sc.exe" description htdzdeug "wifi internet conection
                                                                              Imagebase:0xca0000
                                                                              File size:60928 bytes
                                                                              MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:13
                                                                              Start time:20:04:19
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff745070000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:14
                                                                              Start time:20:04:20
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\SgrmBroker.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                              Imagebase:0x7ff6d1310000
                                                                              File size:163336 bytes
                                                                              MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:15
                                                                              Start time:20:04:20
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\SysWOW64\sc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\sc.exe" start htdzdeug
                                                                              Imagebase:0xca0000
                                                                              File size:60928 bytes
                                                                              MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:16
                                                                              Start time:20:04:20
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff745070000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:17
                                                                              Start time:20:04:20
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d"C:\Users\user\Desktop\file.exe"
                                                                              Imagebase:0x400000
                                                                              File size:12343296 bytes
                                                                              MD5 hash:D83D3102AEE8419201BF810DE2A41992
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000011.00000002.310684388.00000000005B1000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown

                                                                              General

                                                                              Target ID:18
                                                                              Start time:20:04:20
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\SysWOW64\netsh.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                              Imagebase:0x10f0000
                                                                              File size:82944 bytes
                                                                              MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:19
                                                                              Start time:20:04:21
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff745070000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:20
                                                                              Start time:20:04:22
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k netsvcs -p
                                                                              Imagebase:0x7ff651c80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:21
                                                                              Start time:20:04:27
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                              Imagebase:0x7ff651c80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:22
                                                                              Start time:20:04:27
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
                                                                              Imagebase:0x7ff651c80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:23
                                                                              Start time:20:04:30
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\SysWOW64\svchost.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:svchost.exe
                                                                              Imagebase:0xe40000
                                                                              File size:44520 bytes
                                                                              MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Author: unknown

                                                                              General

                                                                              Target ID:24
                                                                              Start time:20:05:29
                                                                              Start date:07/02/2023
                                                                              Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                              Imagebase:0x7ff6856c0000
                                                                              File size:455656 bytes
                                                                              MD5 hash:A267555174BFA53844371226F482B86B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:25
                                                                              Start time:20:05:29
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff745070000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              Disassembly

                                                                              No disassembly