Windows Analysis Report
FT0uDS8neB.exe

Source: FT0uDS8neB.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: FT0uDS8neB.exe	ReversingLabs: Detection: 29%
Source: FT0uDS8neB.exe	Virustotal: Detection: 42%

Source: FT0uDS8neB.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\FT0uDS8neB.exe C:\Users\user\Desktop\FT0uDS8neB.exe
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 1012
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FT0uDS8neB.exe.log

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE635.tmp

Source: classification engine

Classification label: mal96.evad.winEXE@4/7@2/2

Source: FT0uDS8neB.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6672

Source: RegSvcs.exe

String found in binary or memory: Z2wKCn--installs2p

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: FT0uDS8neB.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: FT0uDS8neB.exe

Static file information: File size 1369600 > 1048576

Source: FT0uDS8neB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FT0uDS8neB.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x110000

Source: FT0uDS8neB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: FT0uDS8neB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RuDl.pdb source: FT0uDS8neB.exe, 00000000.00000002.247119434.0000000003311000.00000004.00001000.00020000.00000000.sdmp, FT0uDS8neB.exe, 00000000.00000002.247071121.00000000032C0000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: vcruntime140_clr0400.i386.pdbGCTL source: FT0uDS8neB.exe, 00000000.00000002.270531529.00000000739A1000.00000020.00000001.01000000.00000004.sdmp
Source:	Binary string: vertigorpgraptor.pdb source: FT0uDS8neB.exe
Source:	Binary string: mscorlib.pdb source: FT0uDS8neB.exe, 00000000.00000002.260438122.0000000072263000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: System.ni.pdbRSDS source: FT0uDS8neB.exe, 00000000.00000002.253372497.0000000070F8F000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: ucrtbase_clr0400.i386.pdb source: FT0uDS8neB.exe, 00000000.00000002.270050086.0000000072951000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: mscorlib.ni.pdb source: FT0uDS8neB.exe, 00000000.00000002.260438122.0000000072263000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS.TH source: FT0uDS8neB.exe, 00000000.00000002.260438122.0000000072263000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: System.Core.pdb source: FT0uDS8neB.exe, 00000000.00000002.250010489.0000000070581000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: vcruntime140_clr0400.i386.pdb source: FT0uDS8neB.exe, 00000000.00000002.270531529.00000000739A1000.00000020.00000001.01000000.00000004.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS"f4v9 source: FT0uDS8neB.exe, 00000000.00000002.250010489.0000000070581000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: ucrtbase_clr0400.i386.pdbGCTL source: FT0uDS8neB.exe, 00000000.00000002.270050086.0000000072951000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: System.ni.pdb source: FT0uDS8neB.exe, 00000000.00000002.253372497.0000000070F8F000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: System.pdb source: FT0uDS8neB.exe, 00000000.00000002.253372497.0000000070F8F000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: System.Core.ni.pdb source: FT0uDS8neB.exe, 00000000.00000002.250010489.0000000070581000.00000020.00000001.01000000.00000008.sdmp

Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Code function: 0_2_05A31799 push ebx; iretd	0_2_05A3179A
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Code function: 0_2_05B75775 push B8FFFFC3h; ret	0_2_05B7577C
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Code function: 0_2_05B74B7D push eax; iretd	0_2_05B74B84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0045893D push esi; ret	1_2_00458946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004019C7 push eax; mov dword ptr [esp], 00000000h	1_2_004019CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00449C28 push ecx; ret	1_2_00449C3B

Source: FT0uDS8neB.exe

Static PE information: 0xBB772F44 [Sat Aug 31 04:51:16 2069 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 6.967152206152922

Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\FT0uDS8neB.exe TID: 6660

Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API coverage: 4.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetAdaptersInfo,GetAdaptersInfo,

1_2_0041DAD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004493C8 FindFirstFileExW,		1_2_004493C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0044947C FindFirstFileExW,FindNextFileW,FindClose,FindClose,		1_2_0044947C

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node			graph_1-30916
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node			graph_1-30925

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: Amcache.hve.3.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegSvcs.exe, 00000001.00000002.253094942.0000000001236000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.me
Source: RegSvcs.exe, 00000001.00000002.253094942.0000000001236000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: RegSvcs.exe, 00000001.00000002.253094942.00000000011F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(a$
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_00431855 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00431855

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_00427ACE GetProcessHeap,CreateCompatibleDC,CreateCompatibleBitmap,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,DeleteObject,

1_2_00427ACE

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004303CD mov eax, dword ptr fs:[00000030h]	1_2_004303CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0043B51A mov ecx, dword ptr fs:[00000030h]	1_2_0043B51A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00446FD5 mov eax, dword ptr fs:[00000030h]	1_2_00446FD5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

1_2_0042D2D9

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Memory allocated: page read and write | page guard

Writes to foreign memory regions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00431849 SetUnhandledExceptionFilter,	1_2_00431849
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00431855 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00431855
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00431D60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00431D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004457FB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004457FB

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 455000	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 460000	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 462000	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D2C008	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Queries volume information: C:\Users\user\Desktop\FT0uDS8neB.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_00431A78 cpuid

1_2_00431A78

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_0043DCD1 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

1_2_0043DCD1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_0044B042 GetTimeZoneInformation,

1_2_0044B042

Source: Amcache.hve.3.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 Input Capture	2 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	311 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	4 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Software Packing	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 DLL Side-Loading	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FT0uDS8neB.exe	29%	ReversingLabs	Win32.Trojan.Generic
FT0uDS8neB.exe	42%	Virustotal		Browse
FT0uDS8neB.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
gstatic-node.io	24%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://gstatic-node.io/c2confLh	100%	Avira URL Cloud	malware
http://gstatic-node.io/	100%	Avira URL Cloud	malware
http://gstatic-node.io/f	100%	Avira URL Cloud	malware
http://gstatic-node.io/c2conf	100%	Avira URL Cloud	malware

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gstatic-node.io	188.114.96.7	true	false	24%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://gstatic-node.io/	false	Avira URL Cloud: malware	unknown
http://gstatic-node.io/c2conf	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://gstatic-node.io/c2confLh	RegSvcs.exe, 00000001.00000002.253094942.000000000121B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://gstatic-node.io/f	RegSvcs.exe, 00000001.00000002.253094942.0000000001260000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://upx.sf.net	Amcache.hve.3.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
https://www.cloudflare.com/5xx-error-landing	RegSvcs.exe, 00000001.00000002.253094942.000000000126E000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.7	unknown	European Union		13335	CLOUDFLARENETUS	true
188.114.96.7	gstatic-node.io	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1293164
Start date and time:	2023-08-18 00:11:33 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	FT0uDS8neB.exe
Original Sample Name:	e6b8cfb15c6fce9abcea7a716345d537.exe
Detection:	MAL
Classification:	mal96.evad.winEXE@4/7@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 83.3% (good quality ratio 77.4%) Quality average: 78.6% Quality standard deviation: 29.7%
HCA Information:	Successful, ratio: 84% Number of executed functions: 57 Number of non-executed functions: 55
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21, 52.184.217.56, 2.20.210.223
Excluded domains from analysis (whitelisted): kv601.prod.do.dsp.mp.microsoft.com, kv601.prod.do.dsp.mp.microsoft.com.edgekey.net, fs.microsoft.com, geo.prod.do.dsp.trafficmanager.net, geo.prod.do.dsp.mp.microsoft.com, e12358.d.akamaiedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, watson.telemetry.microsoft.com, array509.prod.do.dsp.mp.microsoft.com, arc.msn.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:12:32	API Interceptor	1x Sleep call for process: FT0uDS8neB.exe modified
00:12:35	API Interceptor	1x Sleep call for process: RegSvcs.exe modified
00:12:37	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.7	DHL_AWB_45000289001.exe	Get hash	malicious	FormBook	Browse	www.czjhsklu.click/nnsx/?5zJ7A=Qq1QKV4-cye&19k=RL//gf/vScFATBns9FIQi5KKfwQZT34QZmfKaSAAxjU4wqB/ZGbqe/rMD1h4is7rBcvtUcJo7iNEgRFSJ+Q5lI7d12vMO4CBxqvZnOXr3nPV
	hesaphareketi-01.pdf.exe	Get hash	malicious	FormBook	Browse	www.hlteuo.com/coan/?9iFY=3rvoHpqfxFbJ4Dcm0ZW57fWL6gggnDrIjuE7x9jEjxad9wQC27zoaOZJXu7cud9ZmDdzXpLuQtu+MyqCjjAHlY7uy4d/YHBSpA==&Pu2TM=jVDHj
	sm46NqECwv.exe	Get hash	malicious	FormBook	Browse	www.gtma10.vip/c3bm/?4nxlTg2=krCldiLgjcApKXxrGjhuaKpz6ZHvYhZGq0ZIJRxCzMFoz9nWr9LtpAXVljRcNxh/nVbbku+Fmqa2xbVL9lcLNTxpm3PzxzrMAA==&IM842=K-RervNWusjtX
	udEvgI8oAR.exe	Get hash	malicious	FormBook	Browse	www.jpxiaoxi.top/oy30/?UvLp=LRt97ZM8TCfgatn4gwFyTzgl4AcXQEIUEiEc1jDvK7Yz8GVtzAA4YmUAS/AouR6FOgtc&o0G=AJEx_TCPEV
	jHoKVFIV53.exe	Get hash	malicious	FormBook	Browse	www.gtma10.vip/c3bm/?dGgHTAY=krCldiLgjcApKXxkJhxRa5BznJXscTBGq0ZIJRxCzMFoz9nWr9LtpAXVljRcNxh/nVbbku+Fmqa2xbVL9lcKNRh52DaT/EjyAA==&-HrvQ=N8LIJy_b81rqFVN
	e-dekont.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.annaregas.com/k13s/?xFNH=2R6J1Mwk1pXyKYVwhkNlxjJ8v1RhkSyBe6EME6YyhIZ0/Nga8Zv4MU94dVSKxLe47F9d&zL08lr=ejlHNdbXg
	specifik#U00e1ci#U00f3k.xls	Get hash	malicious	FormBook	Browse	www.grmlfgsz.click/pta7/?Iv=ZUw0DE2tTfMrS/vGyxuieLl6kaDP4oTJFCKtS8euE2iaohDcpFUZC4QpBbwyViCfiPHxoQAr+wVp689ioFi7f5fgi3TjeDS/z8BEKe8=&wDlhgT=ChaYXozdAlwb1SV
	scGanV8c88.exe	Get hash	malicious	FormBook	Browse	www.gtma10.vip/c3bm/?JS_8C7D=krCldiLgjcApKXxrGjhuaKpz6ZHvYhZGq0ZIJRxCzMFoz9nWr9LtpAXVljRcNxh/nVbbku+Fmqa2xbVL9lcLNTxpm3PzxzrMAA==&ivqyHH=ycS5CtM8hGt67IyN
	PAYMENT_DETAILS.xls	Get hash	malicious	FormBook, NSISDropper	Browse	www.guvenilirdamgasi.org/qpcj/?d2Y3o=CLt5b4nVfHN0cUD8LiUhEGsHj/mKirkDBEtfJybA3Pc6UVEGYUZBd7AfTSRLxjGxXde0YLIu/yd5JvFAW8H/jC1EjaCNxooVlWgY9nI=&Rh=DWhbDle
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader	Browse	gstatic-node.io/c2sock
	vHcolmNDrx.exe	Get hash	malicious	LummaC Stealer	Browse	gstatic-node.io/c2sock
	qhfsVF2oUF.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.emeeycarwash.com/sy22/?l2Md=idWz9iPt5djOAZRx7cnCD/xpUTTFozVhxOaydIDFqIpkj01++CgT1VCwJAO79rhd+nHJ&4hUHW=cVCdVHHX
	SWIFT_COPY.docx.doc	Get hash	malicious	Unknown	Browse	chilp.it/blocked.php
	Bill_of_lading.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.ahevrlh.xyz/sn26/?FRcPk=K4V3qd/IU4ffH94qwwuWoGyJj5p2Mca2XR5lWleZSjXEQHmkvvLfGF2tUi1xqYuvMH6I&k2J=q6A8ur
	jeB6vVWLIf.exe	Get hash	malicious	FormBook	Browse	www.ohrana-truda-truda-rf.online/ge83/?nTFxoxtH=2nm9SBzH0Hx5NnWQX6GJHPtsi8QD7hmQKbTe2pBvLN9cPybUuxvo4q4aMsergVSi0iFd&k6B=2dotn
	UEWorS19Ku.exe	Get hash	malicious	MinerDownloader, LummaC Stealer, Xmrig	Browse	gstatic-node.io/c2sock
	1cDoXMFh1E.exe	Get hash	malicious	LummaC Stealer	Browse	gstatic-node.io/c2sock
	DypP.hta	Get hash	malicious	FormBook	Browse	www.ra89.info/oi24/?4hhH1t5H=Wh4wjnvEFEjN1Vcvh06yLqvba86PLQUGZsfVJU7KYL4duzqIEgCkKeFQBw6hAkdKG6D5&qXYPeb=ltxdAvvxHF_txf10
	qWPmliKXpb.exe	Get hash	malicious	DarkTortilla, LummaC Stealer, XWorm	Browse	gstatic-node.io/c2sock
	aM2keVo29a.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	deadpip.xyz/c2sock

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gstatic-node.io	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader	Browse	188.114.97.7
	vHcolmNDrx.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7
	UEWorS19Ku.exe	Get hash	malicious	MinerDownloader, LummaC Stealer, Xmrig	Browse	188.114.96.7
	1cDoXMFh1E.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7
	qWPmliKXpb.exe	Get hash	malicious	DarkTortilla, LummaC Stealer, XWorm	Browse	188.114.97.7
	HH1QmcnOwo.exe	Get hash	malicious	CryptOne, LummaC Stealer	Browse	188.114.96.7
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.7
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.37.53
	SecuriteInfo.com.Trojan.GenericKD.68531053.31697.15992.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7
	P6wZPsI7iT.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine	Browse	188.114.96.7
	poG9A9xtE6.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine	Browse	188.114.97.7
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7
	cHQhnnXraj.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.7
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.7
	oCCFAL5B1C.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	188.114.96.7
	3tOqxjr1rk.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7
	LiUvsDzAM5.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Maerskline_Invoice_K22TSI71581.exe	Get hash	malicious	AgentTesla	Browse	162.159.137.232
	DHL_AWB_2506307661.exe	Get hash	malicious	FormBook	Browse	188.114.97.7
	DlXCfRPdLr.rtf	Get hash	malicious	FormBook	Browse	188.114.96.7
	DHL_AWB_45000289001.exe	Get hash	malicious	FormBook	Browse	188.114.97.7
	N._de_pedido_Z21239.exe	Get hash	malicious	AgentTesla	Browse	162.159.133.233
	ljaaBSpstQ.rtf	Get hash	malicious	FormBook	Browse	23.227.38.74
	hesaphareketi-01.pdf.exe	Get hash	malicious	FormBook	Browse	188.114.97.7
	McKenna Ed shared _Document_ with you.eml (17.3 KB).msg	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	http://acaciahillhomes.com/kila.php	Get hash	malicious	HTMLPhisher	Browse	188.114.97.7
	https://bafkreifro3wvuzg5u54b56tbi7r3bh5vkoe3xjkifiqcruea6n5hnckncq.ipfs.dweb.link/#	Get hash	malicious	HTMLPhisher	Browse	188.114.97.7
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=TEoNDfxl_E2Txt1S-oRSlxJtQiyHLpNOrYOL8dhHXOlUQktRUE82NUFBSzVVMjlFTTFTRktPQ1c3US4u	Get hash	malicious	Unknown	Browse	104.18.16.182
	4Y8g0J8rBt.exe	Get hash	malicious	FormBook	Browse	188.114.96.7
	TERMS.doc	Get hash	malicious	Unknown	Browse	23.227.38.74
	8VAmuS09tt.exe	Get hash	malicious	AgentTesla	Browse	162.159.135.232
	7ZLS7t6RdA.exe	Get hash	malicious	FormBook	Browse	172.67.148.168
	https://www.baidu.com/link?url=VW7H86BIOYkLVbXomLBGOc51nbFrYWJ07yhNocnD2PNXjIrRCViQ_xyoUreVUqic#cmZvdXNoZWVAcGVyc29uY291bnR5bmMuZ292	Get hash	malicious	HTMLPhisher	Browse	104.21.85.186
	Paystub.html	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	Past Due.xlsx	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.linkedin.com/slink?code=eNJeg_vx#ZGFucGV0aXRAZGVsb2l0dGUuY2E=	Get hash	malicious	HTMLPhisher	Browse	188.114.96.7
	sm46NqECwv.exe	Get hash	malicious	FormBook	Browse	188.114.97.7

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_31b14ea8eef64207fa147982c8a3c8467e2c79d_b7751e98_1a54ed59\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9394152947703281
Encrypted:	false
SSDEEP:	192:P2lHPVUKGGtF5HBUZMXwjMjP/u7sQS274Itl:SPHxBUZMXwjA/u7sQX4Itl
MD5:	C96E8242751BB99C65DDCCA934072554
SHA1:	0375DCBBFB613C6436C12006F3B21D8C4E9C042B
SHA-256:	227E2986842A1A91E913742A6CFA27C7C34FA8129DFED39C91835E258EE9E938
SHA-512:	67A55B9A87346E1EA52FAB1DC182755D5C99FF737358661CF7337E278EF9B821C830947B62E828E2386F4216DF2B0EFCEC3F67D1C0D7321335B591E992046BC6
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.6.8.1.6.3.5.6.0.5.6.4.4.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.6.8.1.6.3.5.6.6.3.4.5.5.1.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.f.f.0.a.1.5.-.6.5.1.f.-.4.f.8.5.-.9.9.b.c.-.1.8.3.a.a.b.2.f.f.6.6.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.e.6.3.6.0.f.4.-.1.8.6.3.-.4.f.3.8.-.b.c.5.a.-.6.f.3.e.f.0.7.5.5.2.1.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.1.0.-.0.0.0.1.-.0.0.1.f.-.1.a.a.d.-.9.6.5.c.a.3.d.1.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.2.d.0.c.4.8.6.b.c.5.4.2.2.d.4.e.7.6.0.2.c.e.3.4.9.a.f.2.f.0.0.d.e.7.a.2.6.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE635.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Aug 18 07:12:36 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	93012
Entropy (8bit):	2.07672226096538
Encrypted:	false
SSDEEP:	384:WbE2+fIZyCmPAVXTsTijfjt6ZvkMKyJxCfsV7lDJ84J1rVVZNAXn6:WzZyCmGgrZvkMKyJTfH2X6
MD5:	9406AA672E5A30988425C94A9CEF2B4E
SHA1:	02D4F3E7566C3483CC7B7DF18BBB8B49FD838DDF
SHA-256:	8BFA1810D321EDFC960B4DB09BC8B8DC7EE9AD74AC9EDA141336622AFA2C4780
SHA-512:	9CCAA19C8D6A709D8302869D9C3AA06CF6F598CF3771D0B1886C5A61845842B8C63BE5201A7D568FC5E22285290CD3EE784D425DC132A8BCB3ACA934BBE08FBC
Malicious:	false
Reputation:	low
Preview:	MDMP....... ..........d....................................<...p...........(>..........`.......8...........T................<...........................................................................................U...........B......0.......GenuineIntelW...........T..............d.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE7CD.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8286
Entropy (8bit):	3.6951652053871458
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNipJ6BB6YU9o6Bm2gmfGd5SVCpra89bpncsfkH9Dm:RrlsNin6n6Yx6HgmfQS+pnvfEE
MD5:	04CE4197DA8BDF1531E97D56169B682B
SHA1:	C79AAE4B19425954F3CC75C9242BCB81EA60008E
SHA-256:	BA75551B6E8DEA541F51786D3DEEAAECD3B1E984902DA94560A82E5D0CE5B097
SHA-512:	C7533068ADE9F5C60DE62C292501443AE2C215EA598799A38C7E4B9AC9988C77D6A76DABAEBDB75640B63416EC3D16468D2685AB6C2F7E9D75BA568328805E31
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.7.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE80C.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4620
Entropy (8bit):	4.445534686857734
Encrypted:	false
SSDEEP:	48:cvIwSD8zshJgtWI993hWgc8sqYjq8fm8M4Jh8qFA+q8+HCBfFKrJd:uITfzuggrsqYDJWbjCBfMrJd
MD5:	E8A752F91449C5C6946B9EED500C0E3E
SHA1:	75E4E06E55E711CA6DAFBC89C88490F0E27CA9F9
SHA-256:	D40F28E844FB05B770521DA8AA48DCE0AED6451E33CB88CD605D4FEC29A8244E
SHA-512:	ECDDDC2568DFEBCA1974DDDD6EC403165FB45C0D6A059B3FF3874E3224743E8A4B51791C8CEE87C2B49577CF6A8988E437A1C80B8980DEEEB33B05CF8069CA1F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2178263" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FT0uDS8neB.exe.log

Process:	C:\Users\user\Desktop\FT0uDS8neB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.36138700684261
Encrypted:	false
SSDEEP:	12:Q3La/hz92n4M9tDLI4MWuPQfOKbbDLI4MWuPJK4EWPAqDcnTTJKhav:MLU84qpE4KI2KDE4KhKYIqDcfJKhk
MD5:	C2C8B3AAEB77E2DF060A3E284CEA4D3F
SHA1:	D3959A28A15B7FE8C5DBB86288D80FF723D0D2D9
SHA-256:	63C9A133FCB15548FD22760BDA5FDE73BF5D943626A7D2480978BDE0FEBF4189
SHA-512:	B19994BB683286360C08F08C5CDC15E6A2AF9350829246F2B4FD69E6C139F1185D2C8D31D6E31012449BA694241E02F880AFB0C40FB1424A0FE265C3DCA33E80
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\2bef38851483abae82f1172c1aaa604c\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\9d04ce1d8a3042f50b54c7f9ccdb4068\System.Core.ni.dll",0..

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.351496061536473
Encrypted:	false
SSDEEP:	12288:/hUzoyoTwdcBdovor/W88n8bOv/iLkt8/ijJzSqUPspK/+BtRa5x8FT:pUzoyoTwdcjovoVqjz50
MD5:	0B4BE1C62BC243095B2314523A1F2DC0
SHA1:	5F9FF1FCD9D2A152998A75DF96F752E552326322
SHA-256:	873C75321A54DF02E3A5760D7E101103834CCB379B8B25346C38800FC3C81BCA
SHA-512:	B9EC97A9295BBA623D5A726C50DB13F5DB376A421B5E94383C8D0BA73E7A904E7B0C934E922D5D1CC9225CC37720AF11F339C206DDACBFEABCB0C43BD058A360
Malicious:	false
Preview:	regfj...j...p.\..,.................. ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmn..].................................................................................................................................................................................................................................................................................................................................................x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.864503611855815
Encrypted:	false
SSDEEP:	384:FG55vzX0mnUUfRMA7CpnXuM3g4z/vGSGunVDigfoEAH6Jphf1oJ1BmE/d:FsvzX3nUUfi6wXuM3g4z/vGnuVDigfoj
MD5:	5D8155E5B59F486EA6F93BAF8F860285
SHA1:	E2264411381A6399271A46B6BEDA4CB6ADA6F808
SHA-256:	591636B8C71A4F78906584495895BFBDB58488D98575D7DEDBE8C757FE5304FB
SHA-512:	6343935F3322B97493203AC5BA7081211E58C347BD5D8B394A7B9993D170DDDA9EA8A691D0341492FA77CF089BEA5191945E8A05C2AE1FF9E9C7979B03810F87
Malicious:	false
Preview:	regfi...i...p.\..,.................. ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmn..].................................................................................................................................................................................................................................................................................................................................................x..HvLE.^......i....`......+.S.7b....]Z..\|..........`...............@... ..hbin................p.\..,..........nk,....]........P........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ....]........ ........................... .......Z.......................Root........lf......Root....nk ....].....................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.900939534337635
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	FT0uDS8neB.exe
File size:	1'369'600 bytes
MD5:	e6b8cfb15c6fce9abcea7a716345d537
SHA1:	c56b60c650439c124b403e31aced45c584ecdd7b
SHA256:	6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512:	e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1
SSDEEP:	24576:fk+bHOG7WsijczZPUIuAYfc48SCkbNY/:s+buG7B6cmHAYfgsY
TLSH:	17556BD53F9D5A60E529F67ACAC7608B13B5F1D72222E5272FCB02C94211B851FD2CAC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D/w...............P.................. ... ....@.. .......................@............@................................

File Icon


Icon Hash:	13fbfbfbfb30d032

Static PE Info

General

Entrypoint:	0x511fbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBB772F44 [Sat Aug 31 04:51:16 2069 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add eax, dword ptr [eax]
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax+0000000Eh], al
mov byte ptr [eax], al
add byte ptr [eax+00000010h], al
mov al, byte ptr [18800000h]
add byte ptr [eax], al
add byte ptr [eax+00800000h], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [ecx], al
add byte ptr [eax], al
add al, dl
add byte ptr [eax], al
add byte ptr [edx], 00000000h
add byte ptr [eax], al
call 00007F007C899C05h
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax+eax], 00000000h
add byte ptr [eax], bl
add dword ptr [eax], eax
add byte ptr [30000000h], 00000001h
add byte ptr [eax+00000006h], al
dec eax
add dword ptr [eax], eax
add byte ptr [edi], 00000000h
add byte ptr [eax], al
pushad
add dword ptr [eax], eax
or byte ptr [eax], 00000000h
add byte ptr [eax], al
js 00007F0079099C03h
add byte ptr [eax+00000009h], al
nop

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x111f70	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x112000	0x3e0f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x152000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x111f22	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x10ffc4	0x110000	False	0.7006171731387868	data	6.967152206152922	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x112000	0x3e0f4	0x3e200	False	0.6891505281690141	data	6.4228390144268594	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x152000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x1122b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 11811 x 11811 px/m	0.7960992907801419
RT_ICON	0x112718	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 11811 x 11811 px/m	0.6864754098360656
RT_ICON	0x1130a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/m	0.6303939962476548
RT_ICON	0x114148	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/m	0.5840248962655602
RT_ICON	0x1166f0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 11811 x 11811 px/m	0.5478271138403401
RT_ICON	0x11a918	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 11811 x 11811 px/m	0.5346580406654344
RT_ICON	0x11fda0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 11811 x 11811 px/m	0.5186567164179104
RT_ICON	0x129248	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 11811 x 11811 px/m	0.48592215781379394
RT_ICON	0x139a70	0x160b5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	1.0003987020034775
RT_GROUP_ICON	0x14fb28	0x84	data	0.7272727272727273
RT_VERSION	0x14fbac	0x35c	data	0.40232558139534885
RT_MANIFEST	0x14ff08	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Download Network PCAP: filtered – full

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.6188.114.97.749718802046637 08/18/23-00:12:35.724385	TCP	2046637	ET TROJAN [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt	49718	80	192.168.2.6	188.114.97.7

Network Port Distribution

Total Packets: 17
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 18, 2023 00:12:35.484853029 CEST	49717	80	192.168.2.6	188.114.96.7
Aug 18, 2023 00:12:35.503599882 CEST	80	49717	188.114.96.7	192.168.2.6
Aug 18, 2023 00:12:35.503730059 CEST	49717	80	192.168.2.6	188.114.96.7
Aug 18, 2023 00:12:35.504090071 CEST	49717	80	192.168.2.6	188.114.96.7
Aug 18, 2023 00:12:35.521923065 CEST	80	49717	188.114.96.7	192.168.2.6
Aug 18, 2023 00:12:35.532723904 CEST	80	49717	188.114.96.7	192.168.2.6
Aug 18, 2023 00:12:35.532757044 CEST	80	49717	188.114.96.7	192.168.2.6
Aug 18, 2023 00:12:35.532777071 CEST	80	49717	188.114.96.7	192.168.2.6
Aug 18, 2023 00:12:35.532799006 CEST	80	49717	188.114.96.7	192.168.2.6
Aug 18, 2023 00:12:35.532818079 CEST	80	49717	188.114.96.7	192.168.2.6
Aug 18, 2023 00:12:35.532828093 CEST	80	49717	188.114.96.7	192.168.2.6
Aug 18, 2023 00:12:35.532830000 CEST	49717	80	192.168.2.6	188.114.96.7
Aug 18, 2023 00:12:35.532887936 CEST	49717	80	192.168.2.6	188.114.96.7
Aug 18, 2023 00:12:35.532928944 CEST	49717	80	192.168.2.6	188.114.96.7
Aug 18, 2023 00:12:35.533107042 CEST	49717	80	192.168.2.6	188.114.96.7
Aug 18, 2023 00:12:35.706820965 CEST	49718	80	192.168.2.6	188.114.97.7
Aug 18, 2023 00:12:35.723905087 CEST	80	49718	188.114.97.7	192.168.2.6
Aug 18, 2023 00:12:35.724066973 CEST	49718	80	192.168.2.6	188.114.97.7
Aug 18, 2023 00:12:35.724385023 CEST	49718	80	192.168.2.6	188.114.97.7
Aug 18, 2023 00:12:35.742605925 CEST	80	49718	188.114.97.7	192.168.2.6
Aug 18, 2023 00:12:35.750610113 CEST	80	49718	188.114.97.7	192.168.2.6
Aug 18, 2023 00:12:35.750643969 CEST	80	49718	188.114.97.7	192.168.2.6
Aug 18, 2023 00:12:35.750664949 CEST	80	49718	188.114.97.7	192.168.2.6
Aug 18, 2023 00:12:35.750684977 CEST	80	49718	188.114.97.7	192.168.2.6
Aug 18, 2023 00:12:35.750703096 CEST	80	49718	188.114.97.7	192.168.2.6
Aug 18, 2023 00:12:35.750718117 CEST	80	49718	188.114.97.7	192.168.2.6
Aug 18, 2023 00:12:35.750727892 CEST	49718	80	192.168.2.6	188.114.97.7
Aug 18, 2023 00:12:35.750727892 CEST	49718	80	192.168.2.6	188.114.97.7
Aug 18, 2023 00:12:35.750771046 CEST	49718	80	192.168.2.6	188.114.97.7
Aug 18, 2023 00:12:35.750771046 CEST	49718	80	192.168.2.6	188.114.97.7
Aug 18, 2023 00:12:38.846185923 CEST	49718	80	192.168.2.6	188.114.97.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 18, 2023 00:12:35.418646097 CEST	54502	53	192.168.2.6	8.8.8.8
Aug 18, 2023 00:12:35.474805117 CEST	53	54502	8.8.8.8	192.168.2.6
Aug 18, 2023 00:12:35.668514013 CEST	51084	53	192.168.2.6	8.8.8.8
Aug 18, 2023 00:12:35.705334902 CEST	53	51084	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 18, 2023 00:12:35.418646097 CEST	192.168.2.6	8.8.8.8	0xf149	Standard query (0)	gstatic-node.io	A (IP address)	IN (0x0001)	false
Aug 18, 2023 00:12:35.668514013 CEST	192.168.2.6	8.8.8.8	0x75f2	Standard query (0)	gstatic-node.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 18, 2023 00:12:35.474805117 CEST	8.8.8.8	192.168.2.6	0xf149	No error (0)	gstatic-node.io	188.114.96.7	A (IP address)	IN (0x0001)	false
Aug 18, 2023 00:12:35.474805117 CEST	8.8.8.8	192.168.2.6	0xf149	No error (0)	gstatic-node.io	188.114.97.7	A (IP address)	IN (0x0001)	false
Aug 18, 2023 00:12:35.705334902 CEST	8.8.8.8	192.168.2.6	0x75f2	No error (0)	gstatic-node.io	188.114.97.7	A (IP address)	IN (0x0001)	false
Aug 18, 2023 00:12:35.705334902 CEST	8.8.8.8	192.168.2.6	0x75f2	No error (0)	gstatic-node.io	188.114.96.7	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

gstatic-node.io

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49717	188.114.96.7	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
Aug 18, 2023 00:12:35.504090071 CEST	92	OUT	GET / HTTP/1.1 Connection: Keep-Alive User-Agent: TeslaBrowser/5.5 Host: gstatic-node.io
Aug 18, 2023 00:12:35.532723904 CEST	94	IN	HTTP/1.1 200 OK Date: Thu, 17 Aug 2023 22:12:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=8GB6ekAg%2Bx%2FkOFIRIX1XEEdUVtvR4qdVbk59nmOxGL5tpbcrQ2yULoLqvH0jDOY3FPi7vI0G1t9mwgFl8c1izoVjUqY0luCGfY79vWdCNxX8u6k3Ym1NcQUmGqDXkhXQxGc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7f854269e96e30e2-FRA Data Raw: 31 32 37 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 Data Ascii: 1275<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /><!
Aug 18, 2023 00:12:35.532757044 CEST	95	IN	Data Raw: 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 5f 73 74 79 6c 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f Data Ascii: --[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEven
Aug 18, 2023 00:12:35.532777071 CEST	96	IN	Data Raw: 6f 6e 20 73 75 63 68 20 61 73 20 70 61 73 73 77 6f 72 64 73 20 61 6e 64 20 63 72 65 64 69 74 20 63 61 72 64 20 64 65 74 61 69 6c 73 20 62 79 20 70 72 65 74 65 6e 64 69 6e 67 20 74 6f 20 62 65 20 61 20 74 72 75 73 74 77 6f 72 74 68 79 20 73 6f 75 Data Ascii: on such as passwords and credit card details by pretending to be a trustworthy source.</p> <p> <form action="/cdn-cgi/phish-bypass" method="GET"> <input type="hidden" name="atok" value="es5mC20k.aGXT.a
Aug 18, 2023 00:12:35.532799006 CEST	98	IN	Data Raw: 72 64 65 72 2d 73 6f 6c 69 64 20 62 6f 72 64 65 72 2d 30 20 62 6f 72 64 65 72 2d 74 20 62 6f 72 64 65 72 2d 67 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 Data Ascii: rder-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">7f854269e96e30e2</strong></span> <span class="cf-footer-separator sm:hi
Aug 18, 2023 00:12:35.532818079 CEST	98	IN	Data Raw: 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2d 2d 3e 0a 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e Data Ascii: iv>... /#cf-error-details --> </div>... /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>
Aug 18, 2023 00:12:35.532828093 CEST	98	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49718	188.114.97.7	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
Aug 18, 2023 00:12:35.724385023 CEST	99	OUT	POST /c2conf HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: gstatic-node.io Content-Length: 40 Cache-Control: no-cache Data Raw: 6c 69 64 3d 5a 32 77 4b 43 6e 2d 2d 69 6e 73 74 61 6c 6c 73 32 70 26 6a 3d 64 65 66 61 75 6c 74 26 76 65 72 3d 34 2e 30 Data Ascii: lid=Z2wKCn--installs2p&j=default&ver=4.0
Aug 18, 2023 00:12:35.750610113 CEST	100	IN	HTTP/1.1 200 OK Date: Thu, 17 Aug 2023 22:12:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vAfSX6znwhDgJVJ4PrLxLyBWaKHaN2RMIUvUV5qQVK4JGr4p0AsrgLM4d5b5ixHe4YLo%2F02bzAI8Qxbd5ccIw4DQngAdccGjRdtvs%2F34kDEQRkRmm17ThFUdB0Dui39QVPo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7f85426b4a528fe0-FRA Data Raw: 31 32 37 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 Data Ascii: 127b<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /><!
Aug 18, 2023 00:12:35.750643969 CEST	102	IN	Data Raw: 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 5f 73 74 79 6c 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f Data Ascii: --[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEven
Aug 18, 2023 00:12:35.750664949 CEST	103	IN	Data Raw: 6f 6e 20 73 75 63 68 20 61 73 20 70 61 73 73 77 6f 72 64 73 20 61 6e 64 20 63 72 65 64 69 74 20 63 61 72 64 20 64 65 74 61 69 6c 73 20 62 79 20 70 72 65 74 65 6e 64 69 6e 67 20 74 6f 20 62 65 20 61 20 74 72 75 73 74 77 6f 72 74 68 79 20 73 6f 75 Data Ascii: on such as passwords and credit card details by pretending to be a trustworthy source.</p> <p> <form action="/cdn-cgi/phish-bypass" method="GET"> <input type="hidden" name="atok" value="LwmpfwBDMC.tfMO
Aug 18, 2023 00:12:35.750684977 CEST	104	IN	Data Raw: 65 66 74 20 62 6f 72 64 65 72 2d 73 6f 6c 69 64 20 62 6f 72 64 65 72 2d 30 20 62 6f 72 64 65 72 2d 74 20 62 6f 72 64 65 72 2d 67 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 Data Ascii: eft border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">7f85426b4a528fe0</strong></span> <span class="cf-footer-separator
Aug 18, 2023 00:12:35.750703096 CEST	104	IN	Data Raw: 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2d 2d 3e 0a 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 Data Ascii: </div>... /#cf-error-details --> </div>... /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>
Aug 18, 2023 00:12:35.750718117 CEST	104	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

Click to jump to process

Memory Usage

• FT0uDS8neB.exe
• RegSvcs.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• FT0uDS8neB.exe
• RegSvcs.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: FT0uDS8neB.exePID: 6640, Parent PID: 3432

Function Logs Amsi Logs

General

Target ID:	0
Start time:	00:12:32
Start date:	18/08/2023
Path:	C:\Users\user\Desktop\FT0uDS8neB.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\FT0uDS8neB.exe
Imagebase:	0xea0000
File size:	1'369'600 bytes
MD5 hash:	E6B8CFB15C6FCE9ABCEA7A716345D537
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	false

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Device IO

Section Activities

Sections loaded by Windows

Sections loaded by Program

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Key Enumerated

Mutex Activities

Mutex Created

Process Activities

Process Created

Process Queried

Process Information Set

Process Terminated

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Memory Activities

Memory Written

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

System Activities

Language or Locale ID Queried

System Information Queried

Windows UI Activities

Window Created

Process Token Activities

Token Adjusted

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Chronological Activities

Analysis Process: RegSvcs.exePID: 6672, Parent PID: 6640

Function Logs

General

Target ID:	1
Start time:	00:12:34
Start date:	18/08/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xa00000
File size:	45'248 bytes
MD5 hash:	19855C0DC5BEC9FDF925307C57F9F5FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

File Activities

File Opened

File Created

Section Activities

Sections loaded by Windows

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Thread Activities

Thread Information Set

Memory Activities

Memory Usage Statistics

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Network Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Chronological Activities

Analysis Process: WerFault.exePID: 6760, Parent PID: 6672

Function Logs

General

Target ID:	3
Start time:	00:12:35
Start date:	18/08/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 1012
Imagebase:	0x1390000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

File Activities

File Opened

File Created

File Deleted

File Written

File Attributes Queried

Other File Operations

Volume Information Queried

Section Activities

Sections loaded by Windows

Sections loaded by Program

Registry Activities

Key Opened

Key Created

Key Deleted

Key Value Created

Mutex Activities

Mutex Created

Process Activities

Process Queried

Process Information Set

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Terminated

Thread Information Set

Memory Activities

Memory Usage Statistics

System Activities

Language or Locale ID Queried

System Information Queried

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Windows UI Activities

Window Created

Process Token Activities

Token Adjusted

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.