Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
09212399.exe

Overview

General Information

Sample Name:09212399.exe
Analysis ID:877002
MD5:57dd320eae0fadd155619407c8b5313c
SHA1:fc2ce4b86d64025dbba19bb84e561a27fcb6ffb3
SHA256:4a524e63c81e6cf9ab8a86f8de0973ea6a6d0973545867d34eba1b777e238628
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected AntiVM3
Detected unpacking (changes PE section rights)
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Tries to harvest and steal Bitcoin Wallet information
Deletes itself after installation
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 09212399.exe (PID: 4968 cmdline: C:\Users\user\Desktop\09212399.exe MD5: 57DD320EAE0FADD155619407C8B5313C)
    • certreq.exe (PID: 7032 cmdline: C:\Windows\system32\certreq.exe MD5: 5A4F8BBCD943BC543B3F664C7DA83827)
      • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WerFault.exe (PID: 3332 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 880 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    Process Memory Space: 09212399.exe PID: 4968JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: 09212399.exeVirustotal: Detection: 40%Perma Link
      Machine Learning detection for sample
      Source: 09212399.exeJoe Sandbox ML: detected

      Compliance

      barindex
      Detected unpacking (overwrites its own PE header)
      Source: C:\Users\user\Desktop\09212399.exeUnpacked PE file: 0.2.09212399.exe.400000.0.unpack
      Source: 09212399.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\09212399.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
      Source: Binary string: C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe
      Source: Binary string: ,C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0
      Source: global trafficTCP traffic: 192.168.2.3:49699 -> 179.43.162.23:8509
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.162.23
      Source: 09212399.exe, 00000000.00000002.381262694.00000000000A1000.00000004.00000010.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.368127426.0000000002635000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.png
      Source: 09212399.exe, 00000000.00000002.381262694.00000000000A1000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngH
      Source: 09212399.exe, 00000000.00000003.368127426.0000000002635000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngkernelbasentdllkernel32GetProcessMitigatio
      Source: certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com
      Source: certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com
      Source: certreq.exe, 00000001.00000003.450923361.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.444650267.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423142442.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443304465.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.445666271.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424137500.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443537430.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.428558621.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.420232422.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443833228.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424761572.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423901851.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423640005.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.441677024.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.438459075.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415743888.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424370962.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415743888.0000018823DB1000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.419657256.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.444175695.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://http:///etc/puk.keyGET13ConnectionupgradeUpgradewebsocketUser-AgentAccept-Encodinggzip
      Source: certreq.exe, 00000001.00000003.413436249.0000018823DBA000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415230877.0000018823DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://http:///etc/puk.keyMachineGuid

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 09212399.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: C:\Users\user\Desktop\09212399.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 880
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_3_02716E4B
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_00416214
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_004182F4
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_023E707B
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_023E915B
      Source: C:\Windows\System32\certreq.exeCode function: 1_3_00000188240D4A10
      Source: C:\Windows\System32\certreq.exeCode function: 1_3_00000188240D2792
      Source: C:\Windows\System32\certreq.exeCode function: 1_3_00000188240D1B9C
      Source: C:\Windows\System32\certreq.exeCode function: 1_3_00000188240D2C32
      Source: C:\Windows\System32\certreq.exeCode function: 1_3_00000188240D5E54
      Source: C:\Windows\System32\certreq.exeCode function: 1_3_00000188240D5554
      Source: C:\Windows\System32\certreq.exeCode function: 1_3_00000188240D58D4
      Source: C:\Windows\System32\certreq.exeCode function: 1_3_00000188240D24ED
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_0040203B NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_004018FB GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,NtQuerySystemInformation,HeapAlloc,RtlAllocateHeap,NtQuerySystemInformation,HeapAlloc,WideCharToMultiByte,_strlen,OutputDebugStringW,HeapFree,_rand,_rand,HeapAlloc,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,CreateFileW,ReadFile,CloseHandle,HeapFree,
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_0040250D HeapCreate,VirtualQuery,GetModuleHandleW,OutputDebugStringA,HeapAlloc,GetModuleHandleA,HeapAlloc,HeapAlloc,WaitForSingleObject,HeapFree,RtlFreeHeap,HeapDestroy,NtProtectVirtualMemory,VirtualFree,GetProcessHeap,HeapFree,
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_0040159B GetCurrentProcess,VirtualAllocExNuma,NtAllocateVirtualMemory,HeapAlloc,InterlockedIncrement,InterlockedIncrement,HeapAlloc,InterlockedIncrement,HeapFree,HeapFree,HeapFree,GetProcessHeap,HeapAlloc,
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_023D3374 HeapCreate,VirtualQuery,GetModuleHandleW,OutputDebugStringA,WaitForSingleObject,HeapFree,HeapFree,HeapDestroy,NtContinue,NtContinue,NtContinue,GetProcessHeap,HeapFree,
      Source: C:\Windows\System32\certreq.exeCode function: 1_3_00000188240D30A7 RtlAllocateHeap,RtlAllocateHeap,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,RtlDeleteBoundaryDescriptor,RtlDeleteBoundaryDescriptor,
      Source: 09212399.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: 09212399.exeVirustotal: Detection: 40%
      Source: 09212399.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\09212399.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\09212399.exe C:\Users\user\Desktop\09212399.exe
      Source: C:\Users\user\Desktop\09212399.exeProcess created: C:\Windows\System32\certreq.exe C:\Windows\system32\certreq.exe
      Source: C:\Windows\System32\certreq.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\09212399.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 880
      Source: C:\Users\user\Desktop\09212399.exeProcess created: C:\Windows\System32\certreq.exe C:\Windows\system32\certreq.exe
      Source: C:\Users\user\Desktop\09212399.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
      Source: C:\Users\user\Desktop\09212399.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\09212399.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
      Source: classification engineClassification label: mal100.spyw.evad.winEXE@5/0@0/1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_01
      Source: C:\Users\user\Desktop\09212399.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
      Source: 09212399.exeString found in binary or memory: {d764e42e-add5-9d16-74e7-6164935016d1}
      Source: 09212399.exeString found in binary or memory: {a722ed69-f75e-adda-c282-357b7a5881c0}
      Source: 09212399.exeString found in binary or memory: {2a53b0ee-add5-8019-6f4d-b504148f277d}
      Source: 09212399.exeString found in binary or memory: {fd1f761c-addd-f638-ccfc-dc2ddad2eb2e}
      Source: 09212399.exeString found in binary or memory: {93c09873-6c92-83d1-add1-d1cf6ce0db24}
      Source: 09212399.exeString found in binary or memory: {67db7274-addc-33aa-369d-f51ff4fbdf01}
      Source: 09212399.exeString found in binary or memory: {652d3a0a-0179-af7e-c9e4-add04bde0b9b}
      Source: 09212399.exeString found in binary or memory: {04e8de6c-add6-baab-c21e-7d664f7ae35c}
      Source: 09212399.exeString found in binary or memory: {e530ebc8-addd-aec2-555f-9c575215134d}
      Source: 09212399.exeString found in binary or memory: {64f34c59-9151-4877-321d-add8d2d439f6}
      Source: C:\Windows\System32\certreq.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook
      Source: C:\Users\user\Desktop\09212399.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
      Source: 09212399.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: 09212399.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: 09212399.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: 09212399.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: 09212399.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: 09212399.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: 09212399.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe
      Source: Binary string: ,C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe

      Data Obfuscation

      barindex
      Detected unpacking (overwrites its own PE header)
      Source: C:\Users\user\Desktop\09212399.exeUnpacked PE file: 0.2.09212399.exe.400000.0.unpack
      Detected unpacking (changes PE section rights)
      Source: C:\Users\user\Desktop\09212399.exeUnpacked PE file: 0.2.09212399.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_3_0271434F push esp; retf
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_3_02717F4F push ecx; retf
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_3_02710FF2 push edx; iretd
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_3_02714DED pushad ; retf
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_3_027106EC push edi; retf
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_3_027149B2 push es; iretd
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_3_02714D8D push es; retf
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_00416203 push ecx; ret
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_00416320 push eax; ret
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_00416320 push eax; ret
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_023E706A push ecx; ret
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_023E7187 push eax; ret
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_023E7187 push eax; ret
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_004179F7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
      Source: initial sampleStatic PE information: section name: .text entropy: 7.890261806957562

      Hooking and other Techniques for Hiding and Protection

      barindex
      Deletes itself after installation
      Source: C:\Windows\System32\certreq.exeFile deleted: c:\users\user\desktop\09212399.exeJump to behavior
      Source: C:\Users\user\Desktop\09212399.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\09212399.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\System32\certreq.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\System32\certreq.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

      Malware Analysis System Evasion

      barindex
      Yara detected AntiVM3
      Source: Yara matchFile source: 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 09212399.exe PID: 4968, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HOOKEXPLORER.EXE
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AUTORUNSC.EXE
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
      Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WQLRANDOMRANDOM NAME%THISISANINVALIDFILENAME?[]<>@\;*!-{}#:/~%%THISISANINVALIDENVIRONMENTVARIABLENAME?[]<>@\;*!-{}#:/~%CMDVRT32.DLLCMDVRT64.DLLWPESPY.DLLVMCHECK.DLLPSTOREC.DLLDIR_WATCH.DLLAPI_LOG.DLLDBGHELP.DLLSBIEDLL.DLLSNXHK.DLLAVGHOOKA.DLLAVGHOOKX.DLLTESTAPP.EXEMYAPP.EXEKLAVME.EXETEST.EXEMALWARE.EXESANDBOX.EXEBOT.EXESAMPLE.EXEJOHN DOEVIRUSTEST USERMALTESTMALWARESAND BOXUSERTIMMYPETER WILSONMILOZSMILLERJOHNSONIT-ADMINHONG LEEHAPUBWSEMILYSANDBOXCURRENTUSERTEQUILABOOMBOOMFORTINETWIN7-TRAPSMUELLER-PCJOHN-PCHANSPETER-PCHAL9TH7SILVIAXPAMAST-SCSANDBOXWILBERT-SCCWSXXXXX-OXNMSDBOXCUCKOOCOMPUTERNAMEANDYANONYMOUSUSERC:\A\FOOBAR.GIFC:\A\FOOBAR.DOCC:\A\FOOBAR.BMPC:\123\EMAIL.DOCXC:\123\EMAIL.DOCC:\EMAIL.HTMC:\EMAIL.DOCC:\LOADDLL.EXEC:\TAKE_SCREENSHOT.PS1JOHNKLONE_X64-PCSYSTEMITADMINSWSCWILBERNUMBEROFCORESSELECT * FROM WIN32_PROCESSORROOT\CIMV2VIRTUALQEMUVMWAREVBOXVBOXVBOXVBOXPARALLELS HVPRL HYPERV XENVMMXENVMMVMWAREVMWAREMICROSOFT HVKVMKVMKVMA M IVIRTUALXEN0PARALLELSVMWARESERIALNUMBERSELECT * FROM WIN32_BIOSHVM DOMUVIRTUALBOXMODELSELECT * FROM WIN32_COMPUTERSYSTEMQEMUINNOTEK GMBHMANUFACTURERPROCESSORIDVMWXENVIRTIOSYSTEM\CURRENTCONTROLSET\ENUM\SCSISYSTEM\CURRENTCONTROLSET\ENUM\IDESELECT * FROM CIM_PHYSICALCONNECTOR06/23/99SYSTEMBIOSDATEVIRTUALBOXVIDEOBIOSVERSIONSYSTEMBIOSVERSIONIDENTIFIERHARDWARE\DEVICEMAP\SCSI\SCSI PORT 0\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DESCRIPTION\SYSTEMVBOXSYSTEM\CONTROLSET001\SERVICES\VBOXVIDEOSYSTEM\CONTROLSET001\SERVICES\VBOXSFSYSTEM\CONTROLSET001\SERVICES\VBOXSERVICESYSTEM\CONTROLSET001\SERVICES\VBOXMOUSESYSTEM\CONTROLSET001\SERVICES\VBOXGUESTSOFTWARE\ORACLE\VIRTUALBOX GUEST ADDITIONSHARDWARE\ACPI\RSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\DSDT\VBOX__SYSTEM32\VBOXCONTROL.EXESYSTEM32\VBOXTRAY.EXESYSTEM32\VBOXSERVICE.EXESYSTEM32\VBOXOGLPASSTHROUGHSPU.DLLSYSTEM32\VBOXOGLPACKSPU.DLLSYSTEM32\VBOXOGLFEEDBACKSPU.DLLSYSTEM32\VBOXOGLERRORSPU.DLLSYSTEM32\VBOXOGLCRUTIL.DLLSYSTEM32\VBOXOGLARRAYSPU.DLLSYSTEM32\VBOXOGL.DLLSYSTEM32\VBOXMRXNP.DLLSYSTEM32\VBOXHOOK.DLLSYSTEM32\VBOXDISP.DLLSYSTEM32\DRIVERS\VBOXVIDEO.SYSSYSTEM32\DRIVERS\VBOXSF.SYSSYSTEM32\DRIVERS\VBOXGUEST.SYSSYSTEM32\DRIVERS\VBOXMOUSE.SYS%PROGRAMW6432%\\.\PIPE\VBOXTRAYIPC\\.\VBOXTRAYIPC\\.\PIPE\VBOXMINIRDDN\\.\VBOXGUEST\\.\VBOXMINIRDRDNVBOXTRAYTOOLWNDVBOXTRAYTOOLWNDCLASSVIRTUALBOX SHARED FOLDERSVBOXTRAY.EXEVBOXSERVICE.EXEPCI\VEN_80EE&DEV_CAFEDEVICEIDSELECT * FROM WIN32_PNPENTITYOPENHCD82371SB82441FX82801FBNAMEVEN_VBOXPNPDEVICEIDCAPTIONSELECT * FROM WIN32_PNPDEVICEPNP_BUS_0PCI_BUS_0ACPIBUS_BUS_0SELECT * FROM WIN32_BUSORACLE CORPORATIONPRODUCTSELECT * FROM WIN32_BASEBOARDSOURCESSYSTEMFILENAMESELECT * FROM WIN32_NTEVENTLOGFILEVBOXWDDMVBOXVIDEOW8VBOXVIDEOVBOXVBOXVIRTUALBOXSYSTEMPRODUCTNAMESYSTEMMANUFACTURERHARDWARE\DEVICEMAP\SCSI\SCSI PORT 2\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DEVICEMAP\SCSI\SCSI PORT 1\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0SYSTEM\CONTROLSET001\CONTROL\SYSTEMINFORMATIONVMWARESOFTWARE\VMWARE, INC.\VMWARE TOOLSVMACTHLP.EXEVGAUTHSERVICE
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGMON.EXE
      Source: 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCEXP.EXEPROCEXP64.EXETCPVIEW.EXETCPVIEW64.EXEPROCMON.EXEPROCMON64.EXEVMMAP.EXEVMMAP64.EXEPORTMON.EXEPROCESSLASSO.EXEWIRESHARK.EXEFIDDLER EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMUNITYDEBUGGER.EXEWINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHACKER.EXEIDAQ64.EXEAUTORUNS.EXEDUMPCAP.EXEDE4DOT.EXEHOOKEXPLORER.EXEILSPY.EXELORDPE.EXEDNSPY.EXEPETOOLS.EXEAUTORUNSC.EXERESOURCEHACKER.EXEFILEMON.EXEREGMON.EXEWINDANR.EXE
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AUTORUNS.EXE
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXE
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXE
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WINDANR.EXE
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILEMON.EXE
      Source: C:\Windows\System32\certreq.exeRegistry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
      Source: C:\Users\user\Desktop\09212399.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\09212399.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\09212399.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_0041A38E VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0
      Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
      Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WQLrandomRandom name%ThisIsAnInvalidFileName?[]<>@\;*!-{}#:/~%%ThisIsAnInvalidEnvironmentVariableName?[]<>@\;*!-{}#:/~%cmdvrt32.dllcmdvrt64.dllwpespy.dllvmcheck.dllpstorec.dlldir_watch.dllapi_log.dlldbghelp.dllsbiedll.dllsnxhk.dllavghooka.dllavghookx.dlltestapp.exemyapp.exeklavme.exetest.exemalware.exesandbox.exebot.exesample.exeJohn Doevirustest usermaltestmalwaresand boxusertimmyPeter WilsonmilozsMillerJohnsonIT-ADMINHong LeeHAPUBWSEmilySandboxCurrentUserTEQUILABOOMBOOMFORTINETWIN7-TRAPSMUELLER-PCJOHN-PCHANSPETER-PCHAL9TH7SILVIAXPAMAST-SCSANDBOXWILBERT-SCCWSXXXXX-OXNMSDBOXCUCKOOCOMPUTERNAMEANDYAnonymousUSERC:\a\foobar.gifC:\a\foobar.docC:\a\foobar.bmpC:\123\email.docxC:\123\email.docC:\email.htmC:\email.docC:\loaddll.exeC:\take_screenshot.ps1JohnKLONE_X64-PCSystemITadminSWSCWilberNumberOfCoresSELECT * FROM Win32_ProcessorROOT\CIMV2virtualqemuvmwarevboxVBoxVBoxVBoxParallels Hvprl hyperv XenVMMXenVMMVMwareVMwareMicrosoft HvKVMKVMKVMA M IVirtualXen0ParallelsVMWareSerialNumberSELECT * FROM Win32_BIOSHVM domUVirtualBoxModelSELECT * FROM Win32_ComputerSystemQEMUinnotek GmbHManufacturerProcessorIdVMWxenvirtioSystem\CurrentControlSet\Enum\SCSISystem\CurrentControlSet\Enum\IDESELECT * FROM CIM_PhysicalConnector06/23/99SystemBiosDateVIRTUALBOXVideoBiosVersionSystemBiosVersionIdentifierHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\Description\SystemVBOXSYSTEM\ControlSet001\Services\VBoxVideoSYSTEM\ControlSet001\Services\VBoxSFSYSTEM\ControlSet001\Services\VBoxServiceSYSTEM\ControlSet001\Services\VBoxMouseSYSTEM\ControlSet001\Services\VBoxGuestSOFTWARE\Oracle\VirtualBox Guest AdditionsHARDWARE\ACPI\RSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\DSDT\VBOX__System32\VBoxControl.exeSystem32\vboxtray.exeSystem32\vboxservice.exeSystem32\vboxoglpassthroughspu.dllSystem32\vboxoglpackspu.dllSystem32\vboxoglfeedbackspu.dllSystem32\vboxoglerrorspu.dllSystem32\vboxoglcrutil.dllSystem32\vboxoglarrayspu.dllSystem32\vboxogl.dllSystem32\vboxmrxnp.dllSystem32\vboxhook.dllSystem32\vboxdisp.dllSystem32\drivers\VBoxVideo.sysSystem32\drivers\VBoxSF.sysSystem32\drivers\VBoxGuest.sysSystem32\drivers\VBoxMouse.sys%ProgramW6432%\\.\pipe\VBoxTrayIPC\\.\VBoxTrayIPC\\.\pipe\VBoxMiniRdDN\\.\VBoxGuest\\.\VBoxMiniRdrDNVBoxTrayToolWndVBoxTrayToolWndClassVirtualBox Shared Foldersvboxtray.exevboxservice.exePCI\VEN_80EE&DEV_CAFEDeviceIdSELECT * FROM Win32_PnPEntityOpenHCD82371SB82441FX82801FBNameVEN_VBOXPNPDeviceIDCaptionSELECT * FROM Win32_PnPDevicePNP_BUS_0PCI_BUS_0ACPIBus_BUS_0SELECT * FROM Win32_BusOracle CorporationProductSELECT * FROM Win32_BaseBoardSourcesSystemFileNameSELECT * FROM Win32_NTEventlogFileVBoxWddmVBoxVideoW8vboxvideoVBOXvboxVirtualBoxSystemProductNameSystemManufacturerHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0SYSTEM\ControlSet001\Control\SystemInformationVMWARESOFTWARE\VMware, Inc.\VMware Toolsvmacthlp.exeVGAuthService
      Source: 09212399.exe, 00000000.00000003.380059413.00000000007F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWle
      Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
      Source: 09212399.exe, 00000000.00000003.380059413.00000000007F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMWARE
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_004179F7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_0040250D HeapCreate,VirtualQuery,GetModuleHandleW,OutputDebugStringA,HeapAlloc,GetModuleHandleA,HeapAlloc,HeapAlloc,WaitForSingleObject,HeapFree,RtlFreeHeap,HeapDestroy,NtProtectVirtualMemory,VirtualFree,GetProcessHeap,HeapFree,
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_023D092B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_023D0D90 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\09212399.exeProcess created: C:\Windows\System32\certreq.exe C:\Windows\system32\certreq.exe
      Source: C:\Windows\System32\certreq.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Users\user\Desktop\09212399.exeCode function: GetLocaleInfoA,
      Source: C:\Users\user\Desktop\09212399.exeCode function: GetLocaleInfoA,
      Source: C:\Windows\System32\certreq.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
      Source: C:\Windows\System32\certreq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_00419F6D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
      Source: C:\Users\user\Desktop\09212399.exeCode function: 0_2_00414BB6 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA,
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OllyDbg.exe
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tcpview.exe
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Wireshark.exe
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lordpe.exe
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Procmon.exe
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autoruns.exe
      Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: regmon.exe

      Stealing of Sensitive Information

      barindex
      Tries to steal Mail credentials (via file / registry access)
      Source: C:\Windows\System32\certreq.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
      Source: C:\Windows\System32\certreq.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security
      Tries to harvest and steal Bitcoin Wallet information
      Source: C:\Windows\System32\certreq.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt
      Source: C:\Windows\System32\certreq.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index-dir
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c22ad13a-a322-4fd2-af93-38f6ee0e683c
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_apdfllckaahabafndbhieahigkjlhalf
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_nmmhkkegccagdldgiimedpiccmgmieda
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Platform Notifications
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsRecentClosed
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dir
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pjkljhegncpnkpknbcohdijeoejaedia
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
      Source: C:\Windows\System32\certreq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts11
      Windows Management Instrumentation      		Path Interception11
      Process Injection      		1
      Virtualization/Sandbox Evasion      		1
      OS Credential Dumping      		1
      System Time Discovery      		Remote Services1
      Email Collection      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default Accounts2
      Command and Scripting Interpreter      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
      Process Injection      		1
      Credentials in Registry      		131
      Security Software Discovery      		Remote Desktop Protocol1
      Archive Collected Data      		Exfiltration Over Bluetooth1
      Non-Standard Port      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain Accounts1
      Native API      		Logon Script (Windows)Logon Script (Windows)2
      Obfuscated Files or Information      		Security Account Manager1
      Virtualization/Sandbox Evasion      		SMB/Windows Admin Shares1
      Data from Local System      		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)22
      Software Packing      		NTDS11
      Process Discovery      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      File Deletion      		LSA Secrets1
      File and Directory Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials47
      System Information Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      09212399.exe41%VirustotalBrowse
      09212399.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://discord.com0%URL Reputationsafe
      https://discord.com0%URL Reputationsafe
      https://http:///etc/puk.keyGET13ConnectionupgradeUpgradewebsocketUser-AgentAccept-Encodinggzip0%Avira URL Cloudsafe
      https://http:///etc/puk.keyMachineGuid0%Avira URL Cloudsafe
      https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngkernelbasentdllkernel32GetProcessMitigatio0%Avira URL Cloudsafe
      https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngH0%Avira URL Cloudsafe
      https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.png0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://discord.comcertreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.png09212399.exe, 00000000.00000002.381262694.00000000000A1000.00000004.00000010.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.368127426.0000000002635000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://http:///etc/puk.keyMachineGuidcertreq.exe, 00000001.00000003.413436249.0000018823DBA000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415230877.0000018823DBF000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		low
      https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngkernelbasentdllkernel32GetProcessMitigatio09212399.exe, 00000000.00000003.368127426.0000000002635000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://http:///etc/puk.keyGET13ConnectionupgradeUpgradewebsocketUser-AgentAccept-Encodinggzipcertreq.exe, 00000001.00000003.450923361.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.444650267.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423142442.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443304465.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.445666271.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424137500.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443537430.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.428558621.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.420232422.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443833228.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424761572.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423901851.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423640005.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.441677024.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.438459075.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415743888.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424370962.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415743888.0000018823DB1000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.419657256.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.444175695.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		low
      https://discordapp.comcertreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngH09212399.exe, 00000000.00000002.381262694.00000000000A1000.00000004.00000010.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        179.43.162.23
        		unknownPanama
        		51852PLI-ASCHfalse

        General Information

        Joe Sandbox Version:37.1.0 Beryl
        Analysis ID:877002
        Start date and time:2023-05-28 10:49:05 +02:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 7m 16s
        Hypervisor based Inspection enabled:false
        Report type:light
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:10
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample file name:09212399.exe
        Detection:MAL
        Classification:mal100.spyw.evad.winEXE@5/0@0/1
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 45.5% (good quality ratio 44%)
        • Quality average: 86.1%
        • Quality standard deviation: 23.7%
        HCA Information:Failed
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
        • TCP Packets have been reduced to 100
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtOpenFile calls found.
        • Report size getting too big, too many NtQueryDirectoryFile calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):7.379104304802616
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:09212399.exe
        File size:503808
        MD5:57dd320eae0fadd155619407c8b5313c
        SHA1:fc2ce4b86d64025dbba19bb84e561a27fcb6ffb3
        SHA256:4a524e63c81e6cf9ab8a86f8de0973ea6a6d0973545867d34eba1b777e238628
        SHA512:23f1e1833a6a52d28cce3b07c726d568c2743b76593e46ba18cd97c7f3f29c262ea3624d7a3f0e745a6f776e0c21421e2a5a7541783fbcf1d31b359843436ddd
        SSDEEP:6144:e1z0CQa13pdiPumUtZVUqkj+VOVGakSEPhVHUk9ZuyxPwF7XgivTtiuy:eV0CQa131t1keBSEPHHUSu5tTtiuy
        TLSH:62B49E0392E53E54E9A68F769E1ED6E8760EF6708F193769311CBB1F08B0172D263B11
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b...b...b...|.......|.......|...H...EX..k...b.......|...c...|...c...|...c...Richb...................PE..L.....pb...........

        File Icon

        Icon Hash:454149454555691d

        Static PE Info

        General

        Entrypoint:0x404e59
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
        DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
        Time Stamp:0x6270CBC3 [Tue May 3 06:29:23 2022 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:5
        OS Version Minor:0
        File Version Major:5
        File Version Minor:0
        Subsystem Version Major:5
        Subsystem Version Minor:0
        Import Hash:2d9ed3462f8a74bfd1231e2e9de56b43

        Entrypoint Preview

        Instruction
        call 00007F2EE0CD8F13h
        jmp 00007F2EE0CD45ADh
        int3
        int3
        int3
        int3
        int3
        int3
        int3
        int3
        int3
        int3
        int3
        int3
        int3
        mov ecx, dword ptr [esp+04h]
        test ecx, 00000003h
        je 00007F2EE0CD4756h
        mov al, byte ptr [ecx]
        add ecx, 01h
        test al, al
        je 00007F2EE0CD4780h
        test ecx, 00000003h
        jne 00007F2EE0CD4721h
        add eax, 00000000h
        lea esp, dword ptr [esp+00000000h]
        lea esp, dword ptr [esp+00000000h]
        mov eax, dword ptr [ecx]
        mov edx, 7EFEFEFFh
        add edx, eax
        xor eax, FFFFFFFFh
        xor eax, edx
        add ecx, 04h
        test eax, 81010100h
        je 00007F2EE0CD471Ah
        mov eax, dword ptr [ecx-04h]
        test al, al
        je 00007F2EE0CD4764h
        test ah, ah
        je 00007F2EE0CD4756h
        test eax, 00FF0000h
        je 00007F2EE0CD4745h
        test eax, FF000000h
        je 00007F2EE0CD4734h
        jmp 00007F2EE0CD46FFh
        lea eax, dword ptr [ecx-01h]
        mov ecx, dword ptr [esp+04h]
        sub eax, ecx
        ret
        lea eax, dword ptr [ecx-02h]
        mov ecx, dword ptr [esp+04h]
        sub eax, ecx
        ret
        lea eax, dword ptr [ecx-03h]
        mov ecx, dword ptr [esp+04h]
        sub eax, ecx
        ret
        lea eax, dword ptr [ecx-04h]
        mov ecx, dword ptr [esp+04h]
        sub eax, ecx
        ret
        mov edi, edi
        push ebp
        mov ebp, esp
        sub esp, 20h
        mov eax, dword ptr [ebp+08h]
        push esi
        push edi
        push 00000008h
        pop ecx
        mov esi, 004012D8h
        lea edi, dword ptr [ebp-20h]
        rep movsd
        mov dword ptr [ebp-08h], eax
        mov eax, dword ptr [ebp+0Ch]
        pop edi
        mov dword ptr [ebp-04h], eax
        pop esi

        Rich Headers

        Programming Language:
        • [ASM] VS2008 build 21022
        • [ C ] VS2008 build 21022
        • [C++] VS2008 build 21022
        • [IMP] VS2005 build 50727
        • [RES] VS2008 build 21022
        • [LNK] VS2008 build 21022

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x5c8b80x64.text
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x2a40000x19398.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2be0000xddc.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x12200x1c.text
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x31500x40.text
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d4.text
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x5c37a0x5c400False0.9075256182249323data7.890261806957562IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .data0x5e0000x2458440x1e00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rsrc0x2a40000x193980x19400False0.37880956064356436data4.262404506795837IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x2be0000x35400x3600False0.21788194444444445data2.444805500720407IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountry
        RT_ICON0x2a47300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
        RT_ICON0x2a55d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
        RT_ICON0x2a5e800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
        RT_ICON0x2a84280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
        RT_ICON0x2a94d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
        RT_ICON0x2a99880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
        RT_ICON0x2aa8300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
        RT_ICON0x2ab0d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0
        RT_ICON0x2ab6400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
        RT_ICON0x2adbe80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
        RT_ICON0x2aec900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0
        RT_ICON0x2af6180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
        RT_ICON0x2afae80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
        RT_ICON0x2b09900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
        RT_ICON0x2b12380x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0
        RT_ICON0x2b19000x568Device independent bitmap graphic, 16 x 32 x 8, image size 0
        RT_ICON0x2b1e680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
        RT_ICON0x2b44100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
        RT_ICON0x2b54b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
        RT_ICON0x2b59880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
        RT_ICON0x2b68300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
        RT_ICON0x2b70d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0
        RT_ICON0x2b76400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
        RT_ICON0x2b9be80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
        RT_ICON0x2bac900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0
        RT_ICON0x2bb6180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
        RT_STRING0x2bbd200x664data
        RT_STRING0x2bc3880x59edata
        RT_STRING0x2bc9280x29adata
        RT_STRING0x2bcbc80x248data
        RT_STRING0x2bce100x582data
        RT_GROUP_ICON0x2bba800x68data
        RT_GROUP_ICON0x2a99380x4cdata
        RT_GROUP_ICON0x2b59200x68data
        RT_GROUP_ICON0x2afa800x68data
        RT_VERSION0x2bbae80x238data

        Imports

        DLLImport
        KERNEL32.dllGetModuleHandleW, IsBadReadPtr, GetConsoleAliasesLengthA, WaitForMultipleObjectsEx, GetPrivateProfileIntA, FreeConsole, GetVersionExW, WritePrivateProfileStructW, MulDiv, GetModuleFileNameW, CreateActCtxA, WritePrivateProfileStringW, ReplaceFileA, GetStringTypeExA, GetStdHandle, GetLogicalDriveStringsA, OpenMutexW, GetLastError, ReadConsoleOutputCharacterA, GetProcAddress, AttachConsole, SleepEx, VirtualAlloc, _hwrite, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, GetFileType, CreateFileMappingW, FindFirstVolumeMountPointW, GetNumberFormatW, CreateEventW, GetModuleFileNameA, lstrcmpiW, GetModuleHandleA, CreateMutexA, GetFileAttributesExW, GetConsoleCursorInfo, ScrollConsoleScreenBufferA, GetCurrentThreadId, FindAtomW, EnumResourceLanguagesW, DebugBreak, FindNextVolumeA, AddConsoleAliasW, CancelWaitableTimer, GetCommState, WaitForSingleObject, GetLongPathNameA, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, WideCharToMultiByte, SetHandleCount, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, Sleep, ExitProcess, WriteFile, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, HeapSize, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, CreateFileA, CloseHandle
        USER32.dllCharLowerBuffA
        GDI32.dllGetCharWidthW, EnumFontsW, GetCharABCWidthsFloatW
        ADVAPI32.dllMapGenericMask

        Network Behavior

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        May 28, 2023 10:50:04.630919933 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.650755882 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.650926113 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.651165962 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.674498081 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.693221092 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.693255901 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.693388939 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.724514961 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.751171112 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.771742105 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.815829039 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.815866947 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.815884113 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.815896034 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.815908909 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.815922976 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.815941095 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.815958977 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.816119909 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.816183090 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.819185019 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.819215059 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.819232941 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.819246054 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.819405079 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.820241928 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.835942984 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.835977077 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.836178064 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.836520910 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.836540937 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.836616993 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.838181973 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.838207960 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.838315010 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.839436054 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.839459896 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.839526892 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.840878010 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.840904951 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.840981007 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.842473984 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.842500925 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.842591047 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.843739986 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.843764067 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.843849897 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.845112085 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.845136881 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.845201969 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.846401930 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.846425056 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.846472025 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.847753048 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.847779036 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.847822905 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.849085093 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.849116087 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.849148989 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.850456953 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.850481987 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.850521088 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.855834007 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.855906010 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.856055975 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.856076002 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.856158972 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.857459068 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.857484102 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.857537985 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.858748913 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.858772993 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.858870983 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.860100985 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.860122919 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.860203028 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.861520052 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.861543894 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.861619949 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.862901926 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.862926006 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.862996101 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.864188910 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.864213943 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.864324093 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.865366936 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.865391016 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.865478992 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.866457939 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.866480112 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.866554022 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.878592968 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.878631115 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.878655910 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.878675938 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.878695011 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.878695011 CEST496998509192.168.2.3179.43.162.23
        May 28, 2023 10:50:04.878714085 CEST850949699179.43.162.23192.168.2.3
        May 28, 2023 10:50:04.878734112 CEST850949699179.43.162.23192.168.2.3

        Statistics

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:10:49:57
        Start date:28/05/2023
        Path:C:\Users\user\Desktop\09212399.exe
        Wow64 process (32bit):true
        Commandline:C:\Users\user\Desktop\09212399.exe
        Imagebase:0x400000
        File size:503808 bytes
        MD5 hash:57DD320EAE0FADD155619407C8B5313C
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
        Reputation:low

        General

        Target ID:1
        Start time:10:50:01
        Start date:28/05/2023
        Path:C:\Windows\System32\certreq.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\certreq.exe
        Imagebase:0x7ff68c8c0000
        File size:517120 bytes
        MD5 hash:5A4F8BBCD943BC543B3F664C7DA83827
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:moderate

        General

        Target ID:2
        Start time:10:50:01
        Start date:28/05/2023
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff745070000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high

        General

        Target ID:5
        Start time:10:50:08
        Start date:28/05/2023
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 880
        Imagebase:0xef0000
        File size:434592 bytes
        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Disassembly

        No disassembly