Edit tour

Windows Analysis Report
http://5.181.159.23/Downloads/reincarnation.zip

Overview

General Information

Sample URL:	http://5.181.159.23/Downloads/reincarnation.zip
Analysis ID:	1382834
Infos:

Detection

MailPassView

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MailPassView

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Downloads suspicious files via Chrome

Machine Learning detection for dropped file

Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Found dropped PE file which has not been started or loaded

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sigma detected: File Download From Browser Process Via Inline URL

Sigma detected: Suspicious MsiExec Embedding Parent

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6300 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://5.181.159.23/Downloads/reincarnation.zip MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5976 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1892,i,16330728437254110003,3318182833698937117,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

rundll32.exe (PID: 5860 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

msiexec.exe (PID: 6084 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\Temp1_reincarnation.zip\reincarnation.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 4676 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6336 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 096A252D48F07B118B14BFE86FE65104 MD5: 9D09DC1EDA745A5F87553048E57620CF)

expand.exe (PID: 6668 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 544B0DBFF3F393BCE8BB9D815F532D51)

conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

iTunesHelper.exe (PID: 5144 cmdline: "C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe" MD5: ED6A1C72A75DEE15A6FA75873CD64975)

Autoit3.exe (PID: 2604 cmdline: "c:\temp\Autoit3.exe" c:\temp\script.au3 MD5: C56B5F0201A3B3DE53E561FE76912BFD)

WerFault.exe (PID: 4540 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 604 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3988 cmdline: C:\Windows\system32\WerFault.exe -u -p 5144 -s 356 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cmd.exe (PID: 5096 cmdline: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.2011015610.0000000004F54000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000D.00000002.2011078602.00000000060B1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000D.00000003.1981885516.0000000004E97000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 096A252D48F07B118B14BFE86FE65104, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6336, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe" , ProcessId: 5144, ProcessName: iTunesHelper.exe

Sigma detected: File Download From Browser Process Via Inline URL

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://5.181.159.23/Downloads/reincarnation.zip, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://5.181.159.23/Downloads/reincarnation.zip, CommandLine|base64offset|contains: -j~b,, Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3572, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://5.181.159.23/Downloads/reincarnation.zip, ProcessId: 6300, ProcessName: chrome.exe

Sigma detected: Suspicious MsiExec Embedding Parent

Source: Process started

Author: frack113: Data: Command: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files", CommandLine: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 096A252D48F07B118B14BFE86FE65104, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6336, ParentProcessName: msiexec.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files", ProcessId: 5096, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Spreading
• Software Vulnerabilities
• Networking
• System Summary
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for dropped file

Source: C:\temp\Autoit3.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 23.1.237.25:443 -> 192.168.2.16:49731 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.16:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.29.7:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49736 version: TLS 1.2

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: chrome.exe

Memory has grown: Private usage: 20MB later: 31MB

Source: unknown

HTTPS traffic detected: 23.1.237.25:443 -> 192.168.2.16:49731 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.23

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKAccept-Ranges: bytesContent-Length: 1808242Content-Type: application/zipEtag: "17aed504efd07c001b9772"Last-Modified: Mon, 29 Jan 2024 13:38:46 GMTDate: Mon, 29 Jan 2024 16:13:17 GMTData Raw: 50 4b 03 04 14 00 00 00 08 00 a7 7c 3d 58 d0 d0 2a 63 ee 96 1b 00 00 10 3c 00 11 00 00 00 72 65 69 6e 63 61 72 6e 61 74 69 6f 6e 2e 6d 73 69 ec db 07 78 14 d5 da c0 f1 b3 e9 84 00 a1 4a 13 96 de d3 28 09 2c 92 b2 bb 21 a1 97 00 82 0a 2c c9 42 16 92 dd 75 b3 21 89 08 84 8e 11 0d 88 0a 48 ef 08 a8 34 bb 28 76 c4 86 1d 15 15 35 2a 76 45 45 f4 2a b9 ff 33 33 49 36 01 e3 26 d7 e7 fb 9e fb dc 7d 4f 7e 3b fd 9c 99 c9 cc ec 9c 33 b3 27 5f 6d 78 66 eb c1 96 1f 8b 2a 31 48 04 88 8b a5 61 22 48 1b d6 79 50 22 5c 08 3f 6d f8 62 69 69 69 d9 e8 52 5f fc 57 85 f0 85 2f 7c e1 0b 5f f8 c2 17 be f0 85 2f 7c e1 0b 5f fc 4f c4 9f d4 01 2f 6a ae 62 38 10 03 10 02 59 f7 af 83 50 d4 45 18 ea a1 3e 1a 08 a5 09 40 34 44 23 34 46 13 34 45 33 5c 81 e6 68 81 96 68 85 d6 b8 12 6d d0 16 7a b4 43 7b 74 40 47 74 42 67 74 41 57 74 43 77 f4 40 4f f4 42 04 22 11 85 68 c4 a0 37 fa a0 2f fa 21 16 71 e8 2f d4 f6 09 69 a0 90 ed 1a ea 70 3c dd 04 24 22 09 46 98 60 46 32 06 23 05 a9 18 82 a1 18 86 e1 18 81 91 18 85 d1 18 83 b1 48 c3 38 8c c7 04 5c 8d 89 98 84 6b 70 2d ae c3 64 4c c1 54 58 30 0d e9 c8 80 15 d3 31 03 99 b0 61 26 66 21 0b d9 b0 c3 01 27 ae 87 0b 39 70 23 17 b3 91 87 7c 14 e0 06 cc c1 8d 98 8b 79 98 8f 42 2c c0 42 2c c2 62 2c c1 52 2c c3 72 dc 84 22 dc 8c 15 b8 05 b7 a2 18 2b b1 0a b7 61 35 6e c7 1d b8 13 6b b0 16 eb 70 17 d6 63 03 36 62 13 36 63 0b b6 62 1b b6 63 07 76 62 17 76 63 0f ee c6 5e ec c3 7e dc 83 7b 71 1f 0e e0 20 0e e1 30 8e e0 7e 3c 80 07 f1 10 1e c6 23 78 14 8f e1 28 1e c7 13 38 86 27 f1 14 9e c6 33 78 16 cf e1 79 1c c7 0b Data Ascii: PK|=X*c<reincarnation.msixJ(,!,Bu!H4(v5*vEE*33I6&}O~;3'_mxf*1Ha"HyP"\?mbiiiR_W/|_/|_O/jb8YPE>@4D#4F4E3\hhmzC{t@GtBgtAWtCw@OB"h7/!q/ip<$"F`F2#H8\kp-dLTX01a&f!'9p#|yB,B,b,R,r"+a5nkpc6b6cbcvbvc^~{q 0~<#x(8'3xy

Source: global traffic

HTTP traffic detected: GET /Downloads/reincarnation.zip HTTP/1.1Host: 5.181.159.23Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: unknown

DNS traffic detected: queries for: accounts.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.16:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.29.7:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49736 version: TLS 1.2

System Summary

Downloads suspicious files via Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\reincarnation.zip (copy)

Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\62f8ea.msi

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIFA51.tmp

Source: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5144 -s 356

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll

Source: classification engine

Classification label: mal64.spyw.evad.win@32/35@8/97

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\68d7f3f9-e2f0-4059-93ba-92fc60501586.tmp

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5144
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2604
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF5AA17A32C889221C.TMP

Source: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\msiwrapper.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://5.181.159.23/Downloads/reincarnation.zip
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1892,i,16330728437254110003,3318182833698937117,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\Temp1_reincarnation.zip\reincarnation.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 096A252D48F07B118B14BFE86FE65104
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe "C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe	Process created: C:\temp\Autoit3.exe "c:\temp\Autoit3.exe" c:\temp\script.au3
Source: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5144 -s 356
Source: C:\temp\Autoit3.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 604
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe "C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files"
Source: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe	Process created: C:\temp\Autoit3.exe "c:\temp\Autoit3.exe" c:\temp\script.au3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1892,i,16330728437254110003,3318182833698937117,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\msiwrapper.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe	File created: C:\temp\Autoit3.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\ba84ee72f0364ddca96d220ebe28869c$dpx$.tmp\f0d3433fd1476a44adc4805716b9b77a.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\ba84ee72f0364ddca96d220ebe28869c$dpx$.tmp\9c8f2adf59991f4b8f28dc08af9e5c06.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\CoreFoundation.dll (copy)	Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\temp\Autoit3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\expand.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\ba84ee72f0364ddca96d220ebe28869c$dpx$.tmp\f0d3433fd1476a44adc4805716b9b77a.tmp

Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: unknown FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: unknown FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: unknown FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: unknown FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: unknown FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Windows\System32\msiexec.exe

System information queried: CodeIntegrityInformation

Source: C:\temp\Autoit3.exe	Process queried: DebugPort
Source: C:\temp\Autoit3.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe "C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files"
Source: C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe	Process created: C:\temp\Autoit3.exe "c:\temp\Autoit3.exe" c:\temp\script.au3

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: unknown VolumeInformation

Source: C:\Windows\SysWOW64\expand.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected MailPassView

Source: Yara match	File source: 0000000D.00000002.2011015610.0000000004F54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2011078602.00000000060B1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1981885516.0000000004E97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	11 Process Injection	11 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Extra Window Memory Injection	1 Rundll32	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Source	Detection	Scanner	Label	Link
http://5.181.159.23/Downloads/reincarnation.zip	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner
C:\temp\Autoit3.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\ba84ee72f0364ddca96d220ebe28869c$dpx$.tmp\9c8f2adf59991f4b8f28dc08af9e5c06.tmp	0%	ReversingLabs
C:\temp\Autoit3.exe	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
accounts.google.com	172.253.124.84	true	false	high
www.google.com	74.125.138.104	true	false	high
clients.l.google.com	74.125.138.139	true	false	high
clients1.google.com	unknown	unknown	false	high
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://5.181.159.23/Downloads/reincarnation.zip	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.168.117.173	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
74.125.138.104	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
74.125.138.139	clients.l.google.com	United States	15169	GOOGLEUS	false
5.181.159.23	unknown	Moldova Republic of	39798	MIVOCLOUDMD	false
64.233.176.94	unknown	United States	15169	GOOGLEUS	false
108.177.122.94	unknown	United States	15169	GOOGLEUS	false
64.233.176.139	unknown	United States	15169	GOOGLEUS	false
172.253.124.84	accounts.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	39.0.0 Ruby
Analysis ID:	1382834
Start date and time:	2024-01-29 17:12:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	http://5.181.159.23/Downloads/reincarnation.zip
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.spyw.evad.win@32/35@8/97

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded IPs from analysis (whitelisted): 64.233.176.94, 34.104.35.123
Excluded domains from analysis (whitelisted): edgedl.me.gvt1.com, clientservices.googleapis.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
VT rate limit hit for: http://5.181.159.23/Downloads/reincarnation.zip

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.862589731362741
Encrypted:	false
SSDEEP:
MD5:	6004DE6238C30E641D0610D1FD831190
SHA1:	B1C204DC5CD0088927DCFBD524CEADBEFA4BAABB
SHA-256:	C73B6BADEE0F5F1114B6F58D524D186A03F7A21E980703298C5AFCE89AF40371
SHA-512:	439BF86D50B9A080900397D42217B4CE6755396FD345566B08944912F4148AF12F7E1A964399AFB9FDCDF30B085E4246DC767B5BCBCA7D2EB746F6A32ED40229
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.1.0.1.8.4.1.6.4.8.5.6.9.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.1.0.1.8.4.1.7.2.1.6.6.8.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.2.9.0.0.3.9.-.0.c.5.f.-.4.4.f.f.-.a.8.2.6.-.7.a.5.1.1.6.e.0.e.5.b.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.1.f.6.e.c.4.-.1.7.5.6.-.4.8.5.9.-.b.d.7.6.-.9.9.1.d.1.0.6.8.a.c.a.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.u.t.o.i.t.3...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.u.t.o.I.t.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.2.c.-.0.0.0.1.-.0.0.1.4.-.4.8.3.8.-.7.a.1.c.c.e.5.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.0.6.f.a.0.9.b.3.8.c.9.c.3.b.a.4.5.c.7.3.2.a.4.d.c.9.a.8.4.6.1.0.0.0.0.0.9.0.8.!.0.0.0.0.2.a.4.0.6.2.e.1.0.a.5.d.e.8.1.3.f.5.6.8.8.2.2.1.d.b.e.b.3.f.3.f.f.3.3.e.b.4.1.

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8113328767622522
Encrypted:	false
SSDEEP:
MD5:	76BE1BD42D3C5E3D1CE919B607369997
SHA1:	664BFB35288B8BB8C9ADBA1733E5C681AAE54478
SHA-256:	3395B39ACC2D645B27A16686F06129944B00EE2CE116BFFF28B58AED3C179158
SHA-512:	A0A072A03AA607E7AE2D3AFD6F3199EF188DD62357A06788C2439E66885303FC4EEBBA184E9E5621E3FA1F36623E9F64B675B111D2B7401A6E02CE92324D6CB4
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.1.0.1.8.4.1.6.2.5.0.1.9.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.1.0.1.8.4.1.6.7.7.2.2.2.9.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.4.7.0.d.e.1.-.8.1.b.d.-.4.4.1.6.-.9.3.6.9.-.e.4.b.0.c.a.e.3.2.0.d.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.5.3.d.4.a.1.-.6.c.c.c.-.4.1.a.b.-.a.6.a.9.-.3.1.d.0.6.7.9.7.e.e.f.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.i.T.u.n.e.s.H.e.l.p.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.i.T.u.n.e.s.H.e.l.p.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.1.8.-.0.0.0.1.-.0.0.1.4.-.f.f.9.e.-.3.4.1.c.c.e.5.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.3.d.5.6.6.8.6.2.5.a.9.8.b.b.f.d.2.0.d.2.6.f.f.6.3.1.5.f.6.f.3.0.0.0.0.0.9.0.4.!.0.0.0.0.6.7.a.1.5.c.a.7.2.e.3.1.5.6.f.8.b.e.6.c.4.6.3.9.1.e.1.8.4.0.8.7.e.4.7.f.4.a.0.d.!.i.T.u.n.

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Microsoft Cabinet archive data, many, 3684121 bytes, 3 files, at 0x2c +A "CoreFoundation.dll" +A "iTunesHelper.exe", ID 35065, number 1, 113 datablocks, 0 compression
Category:	dropped
Size (bytes):	3684121
Entropy (8bit):	7.062922354388952
Encrypted:	false
SSDEEP:
MD5:	2CA32763A836BDA6629439DFDF7574FB
SHA1:	73DF86B5C6EFDDEF1759B803FE075F9F0414A75A
SHA-256:	249CCC81506722721DA5774E2D3718B02FA79F1A2F4024E609E6FCF1B6BEDF0A
SHA-512:	248DF241C4DE5FC942163EC9C447328AADAF824C4323A676B3C261027237F3CF72390A372B67C678B97CE8F62E3B92F3E218F6D29BE47BB45BA604B4D7B1DF1A
Malicious:	false
Reputation:	low
Preview:	MSCF.....78.....,.......................q.............=X., .CoreFoundation.dll.`.........=X., .iTunesHelper.exe.....`O....=X., .sqlite3.dll.........MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......e.........." ................@.........@...........................................`.......................... ............... ...,...................`...1...........`.......................................................................................text...D........................... ..`.data........0......................@....bss.........0...........................idata..............................@....didata.............."..............@....edata...,... .......&..............@..@.rdata..E....P.......T..............@..@.reloc.......`.......V..............@..B.pdata...1..

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1619456
Entropy (8bit):	6.016204754935511
Encrypted:	false
SSDEEP:
MD5:	CE2E53DA2015987538D794B04C4AE0D5
SHA1:	6952BA24FCC3BB41D4DD03D41C56CA12F4CCE95A
SHA-256:	1E3BDDD68B9DBDF728AFA28A29DB324B21D71FA145E6EFFF8D44B46F3637D9F4
SHA-512:	DDD0D0746A180F1782CB9C13CF37992D80E2B8F3C0E043FE5BA96F80ADAC066DE79E59D10D5E1E91E22C434ECA65793EFC17459AB2D6565B2FC6986C86B146B0
Malicious:	true
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......e.........." ................@.........@...........................................`.......................... ............... ...,...................`...1...........`.......................................................................................text...D........................... ..`.data........0......................@....bss.........0...........................idata..............................@....didata.............."..............@....edata...,... .......&..............@..@.rdata..E....P.......T..............@..@.reloc.......`.......V..............@..B.pdata...1...`...2...V..............@..@.rsrc...............................@..@....................................@..@........................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jan 29 15:13:16 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9825758321868268
Encrypted:	false
SSDEEP:
MD5:	E8C838C626AE62E166FCF262E452D480
SHA1:	600744EAAB1FC2AE77A0CAF4E19DBDA3059B411F
SHA-256:	D1642174E6A6FF7083A8F4A63D488774CA749DBBB7179FA20C5A443D964BCA27
SHA-512:	27AAD190B8E4681E5326DECCD114255F3B6E65812572DD3CAF6158821864FB53D517E1758FC8B3AEA9AB7AC23EB0369FF556B23B73324C336DADAE8FA86E6E71
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....\.`..R..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I=X......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V=X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V=X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V=X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V=X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............cx.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.164545388662407
Encrypted:	false
SSDEEP:
MD5:	89AF66492B8DDE5D4AD4629AE9F2C2A5
SHA1:	B5EBA879D0AAB83CD0C9326B2C1C949C456B2311
SHA-256:	64B585C07CD1A9DD6D5571580C77692638E5B8078DB75F643FCBCC3D156CAF14
SHA-512:	B5C76F2E481D18E0A0C02CD9A95EA6CADB8156795C1CFB865DA164078BBE24038AE48DA727C3C2D9B080B665E9E7AB54313B1216FF366B734D6790C7274325A8
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://5.181.159.23/Downloads/reincarnation.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Autoit3.exe_2e9c3a7a31e8caa5cb6cb197befd77354dc15c_e0ee09ac_6b290039-0c5f-44ff-a826-7a5116e0e5b5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_iTunesHelper.exe_ca43fa387e5b8036dd414c76b52f23c6959303e_d8201673_dc470de1-81bd-4416-9369-e4b0cae320db\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BB.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER677.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C6.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER84C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER87C.tmp.xml

C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files.cab

C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\CoreFoundation.dll (copy)

C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\ba84ee72f0364ddca96d220ebe28869c$dpx$.tmp\9c8f2adf59991f4b8f28dc08af9e5c06.tmp

C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\ba84ee72f0364ddca96d220ebe28869c$dpx$.tmp\f0d3433fd1476a44adc4805716b9b77a.tmp

C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\ba84ee72f0364ddca96d220ebe28869c$dpx$.tmp\f5d7b9e9f092f348b95f0b7460f91ca1.tmp

C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\iTunesHelper.exe (copy)

C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\files\sqlite3.dll (copy)

C:\Users\user\AppData\Local\Temp\MW-fad35356-b30e-4753-9bbf-64835c8baf26\msiwrapper.ini

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Downloads\68d7f3f9-e2f0-4059-93ba-92fc60501586.tmp

C:\Users\user\Downloads\reincarnation.zip (copy)

C:\Users\user\Downloads\reincarnation.zip.crdownload

C:\Windows\Installer\SourceHash{719E9625-9BD4-4D30-90BE-113AA1D7545F}

C:\Windows\Temp\~DF5AA17A32C889221C.TMP

C:\Windows\Temp\~DF7D5EF1DD340BCAEA.TMP

Windows Analysis Report
http://5.181.159.23/Downloads/reincarnation.zip

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre