Edit tour

Windows Analysis Report
https://eu-central.storage.cloudconvert.com/tasks/004d6e18-5b09-432f-ae9a-7d0bef441692/%40%21Pa%20sc0d%C3%A9__-NewFiLes.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=cloudconvert-production%2F20240531%2Ffra%2Fs3%2Faws4_request&X-Amz-Date=20240531T054225Z

Overview

General Information

Sample URL:	https://eu-central.storage.cloudconvert.com/tasks/004d6e18-5b09-432f-ae9a-7d0bef441692/%40%21Pa%20sc0d%C3%A9__-NewFiLes.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz
Analysis ID:	1449964
Infos:

Detection

Vidar

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected Vidar stealer

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Writes to foreign memory regions

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

One or more processes crash

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 3588 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://eu-central.storage.cloudconvert.com/tasks/004d6e18-5b09-432f-ae9a-7d0bef441692/%40%21Pa%20sc0d%C3%A9__-NewFiLes.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=cloudconvert-production%2F20240531%2Ffra%2Fs3%2Faws4_request&X-Amz-Date=20240531T054225Z&X-Amz-Expires=86400&X-Amz-Signature=e44f950daf1a1a2004947d6b8b5f8aa77838142684691288964d6f5027abcb41&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3D%22%40%21Pa%20sc0d%C3%A9__-NewFiLes.zip%22&response-content-type=application%2Fzip&x-id=GetObject MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3168 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1936,i,16970817942373422082,12545059405876858752,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

rundll32.exe (PID: 7732 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

Setup_Free-File.exe (PID: 7948 cmdline: "C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe" MD5: 098AC4621EE0E855E0710710736C2955)

Setup_Free-File.exe (PID: 7992 cmdline: "C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe" MD5: 098AC4621EE0E855E0710710736C2955)

cmd.exe (PID: 8012 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

UpdateUiClient.exe (PID: 1448 cmdline: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe MD5: 3C4D3348418C783EDE10B71147965BF1)

WerFault.exe (PID: 3984 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 704 MD5: C31336C1EFC2CCB44B4326EA793040F2)

Setup_Free-File.exe (PID: 7512 cmdline: "C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe" MD5: 098AC4621EE0E855E0710710736C2955)

Setup_Free-File.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe" MD5: 098AC4621EE0E855E0710710736C2955)

cmd.exe (PID: 6900 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

UpdateUiClient.exe (PID: 756 cmdline: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe MD5: 3C4D3348418C783EDE10B71147965BF1)

WerFault.exe (PID: 1108 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 688 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000E.00000000.1479967350.0000000000401000.00000020.00000001.01000000.00000006.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000012.00000002.1744902792.00000000058E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000014.00000002.1760328230.000000000099F000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\coml2\WebUI.dll	Avira: detection malicious, Label: TR/Redcap.ixhiq
Source: C:\Users\user\AppData\Roaming\coml2\WebUI.dll	Avira: detection malicious, Label: TR/Redcap.ixhiq
Source: C:\Users\user\AppData\Roaming\coml2\WebUI.dll	Avira: detection malicious, Label: TR/Redcap.ixhiq

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\coml2\WebUI.dll	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Roaming\coml2\WebUI.dll	Virustotal: Detection: 71%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy	Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:50674 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.160.22:443 -> 192.168.2.16:50675 version: TLS 1.2

Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:50672 -> 162.159.36.2:53
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:50672 -> 162.159.36.2:53
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:50672 -> 162.159.36.2:53
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:50672 -> 162.159.36.2:53
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:50672 -> 162.159.36.2:53
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:50672 -> 162.159.36.2:53
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:50672 -> 162.159.36.2:53

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.209.150
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108

Source: global traffic	DNS traffic detected: DNS query: eu-central.storage.cloudconvert.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50674
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50675
Source: unknown	Network traffic detected: HTTP traffic on port 50674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:50674 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.160.22:443 -> 192.168.2.16:50675 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 704

Source: classification engine

Classification label: mal84.troj.evad.win@34/26@4/75

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\d4c7ac12-a2c7-44a6-b450-530f5f6f054f.tmp

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess756
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1448
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\DGXGEQH

Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe

File created: C:\Users\user\AppData\Local\Temp\52771410

Source: Yara match

File source: 0000000E.00000000.1479967350.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://eu-central.storage.cloudconvert.com/tasks/004d6e18-5b09-432f-ae9a-7d0bef441692/%40%21Pa%20sc0d%C3%A9__-NewFiLes.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=cloudconvert-production%2F20240531%2Ffra%2Fs3%2Faws4_request&X-Amz-Date=20240531T054225Z&X-Amz-Expires=86400&X-Amz-Signature=e44f950daf1a1a2004947d6b8b5f8aa77838142684691288964d6f5027abcb41&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3D%22%40%21Pa%20sc0d%C3%A9__-NewFiLes.zip%22&response-content-type=application%2Fzip&x-id=GetObject
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1936,i,16970817942373422082,12545059405876858752,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1936,i,16970817942373422082,12545059405876858752,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe "C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe "C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe"
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 704
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe
Source: unknown	Process created: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe "C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe "C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe"
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 688
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: acgenral.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: samcli.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: aclayers.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: sfc.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: webui.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: pla.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: pdh.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: tdh.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: cabinet.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: acgenral.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: samcli.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: aclayers.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: sfc.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: webui.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: pla.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: pdh.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: tdh.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: cabinet.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Section loaded: sfc_os.dll

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy	Jump to dropped file
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	File created: C:\Users\user\AppData\Roaming\coml2\WebUI.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\NXHPVKAOHBMY
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\NXHPVKAOHBMY
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\NXHPVKAOHBMY
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\NXHPVKAOHBMY
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WGHIA
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\NXHPVKAOHBMY
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WGHIA
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\NXHPVKAOHBMY
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WGHIA

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\cmd.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy

Jump to dropped file

Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	Process queried: DebugPort

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	NtQuerySystemInformation: Direct from: 0x55103F
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	NtCreateFile: Direct from: 0x404001
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	NtAllocateVirtualMemory: Direct from: 0x404F94
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	NtQuerySystemInformation: Direct from: 0x5370020
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	NtQuerySystemInformation: Direct from: 0x776D7B2E
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	NtQuerySystemInformation: Direct from: 0x52C8020
Source: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	NtCreateMutant: Direct from: 0x404517

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe protection: read write

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe base: 4014D0
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe base: 241008
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe base: 980000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe base: 4014D0
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe base: 2EA008
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe base: 9B0000

Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe
Source: C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: 00000012.00000002.1744902792.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy, type: DROPPED
Source: Yara match	File source: 00000014.00000002.1760328230.000000000099F000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy, type: DROPPED

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 00000012.00000002.1744902792.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy, type: DROPPED
Source: Yara match	File source: 00000014.00000002.1760328230.000000000099F000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	211 Process Injection	11 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	211 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://eu-central.storage.cloudconvert.com/tasks/004d6e18-5b09-432f-ae9a-7d0bef441692/%40%21Pa%20sc0d%C3%A9__-NewFiLes.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=cloudconvert-production%2F20240531%2Ffra%2Fs3%2Faws4_request&X-Amz-Date=20240531T054225Z&X-Amz-Expires=86400&X-Amz-Signature=e44f950daf1a1a2004947d6b8b5f8aa77838142684691288964d6f5027abcb41&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3D%22%40%21Pa%20sc0d%C3%A9__-NewFiLes.zip%22&response-content-type=application%2Fzip&x-id=GetObject	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\coml2\WebUI.dll	100%	Avira	TR/Redcap.ixhiq
C:\Users\user\AppData\Roaming\coml2\WebUI.dll	79%	ReversingLabs	Win32.Adware.RedCap
C:\Users\user\AppData\Roaming\coml2\WebUI.dll	72%	Virustotal		Browse
C:\Users\user\AppData\Roaming\coml2\WebUI.dll	100%	Avira	TR/Redcap.ixhiq
C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\coml2\WebUI.dll	100%	Avira	TR/Redcap.ixhiq
C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
storage.cloudconvert.com	0%	Virustotal	Browse
www.google.com	0%	Virustotal	Browse
eu-central.storage.cloudconvert.com	0%	Virustotal	Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
storage.cloudconvert.com	51.195.5.198	true	false	0%, Virustotal, Browse	unknown
www.google.com	142.250.185.100	true	false	0%, Virustotal, Browse	unknown
eu-central.storage.cloudconvert.com	unknown	unknown	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.46	unknown	United States	15169	GOOGLEUS	false
64.233.166.84	unknown	United States	15169	GOOGLEUS	false
51.195.5.198	storage.cloudconvert.com	France	16276	OVHFR	false
52.168.117.173	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.186.78	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.163	unknown	United States	15169	GOOGLEUS	false
20.189.173.20	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.185.100	www.google.com	United States	15169	GOOGLEUS	false
142.250.74.195	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1449964
Start date and time:	2024-05-31 07:43:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://eu-central.storage.cloudconvert.com/tasks/004d6e18-5b09-432f-ae9a-7d0bef441692/%40%21Pa%20sc0d%C3%A9__-NewFiLes.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=cloudconvert-production%2F20240531%2Ffra%2Fs3%2Faws4_request&X-Amz-Date=20240531T054225Z&X-Amz-Expires=86400&X-Amz-Signature=e44f950daf1a1a2004947d6b8b5f8aa77838142684691288964d6f5027abcb41&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3D%22%40%21Pa%20sc0d%C3%A9__-NewFiLes.zip%22&response-content-type=application%2Fzip&x-id=GetObject
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.win@34/26@4/75

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.163, 142.250.186.46, 64.233.166.84, 34.104.35.123
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, clientservices.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_UpdateUiClient.e_6831b777b31e168c889b7440368edef2f65358c6_4370b9a3_44602666-f85a-4920-938b-350ad7f2947c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9181926137264874
Encrypted:	false
SSDEEP:
MD5:	8D42CE696A5D01D82E48C0F755A25139
SHA1:	22A5827AF3B6034CFC8BFFBC128FE573CDE4FD99
SHA-256:	B282ADE4512075DBB413DC99543B8B057F74F5F9A0AF9232C673B6F17B1E5D9B
SHA-512:	9B88F71F783D1AE5E2507AE9466541742743861C3305F7053AA5F95FD3C3CEA072CE268212CEC31950C19A29FEDADF13BD19D3CC11F953E4017ED17304265C03
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.6.0.7.9.2.0.5.4.7.9.7.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.6.0.7.9.2.0.7.8.4.9.8.7.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.6.0.2.6.6.6.-.f.8.5.a.-.4.9.2.0.-.9.3.8.b.-.3.5.0.a.d.7.f.2.9.4.7.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.5.c.b.0.a.0.f.-.e.6.b.5.-.4.0.7.f.-.8.d.1.2.-.8.6.4.2.0.1.6.3.2.d.a.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.U.p.d.a.t.e.U.i.C.l.i.e.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.f.4.-.0.0.0.1.-.0.0.1.6.-.c.f.c.6.-.3.1.b.4.1.d.b.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.9.3.6.d.0.8.8.8.2.d.f.a.4.0.4.8.5.c.c.4.a.3.d.3.4.c.e.d.3.1.6.0.0.0.0.f.f.f.f.!.0.0.0.0.8.a.6.c.f.3.a.a.2.1.9.3.5.c.6.6.f.2.9.e.5.6.0.2.6.e.5.c.e.d.9.2.f.2.e.7.8.7.f.9.!.U.p.d.a.t.e.U.i.C.l.i.e.n.t...e.x.e.....T.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_UpdateUiClient.e_6831b777b31e168c889b7440368edef2f65358c6_4370b9a3_67a20cdf-6ec0-4732-bd04-bd956979eb0d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9175976900567183
Encrypted:	false
SSDEEP:
MD5:	DCFF0EF7E3124A782A4B7EBD2625FBBD
SHA1:	7CF0C86E7E8B80F33A2E03F9FA5E5A3520F59694
SHA-256:	3274736D4473E152B948A9DF94C28027D6C90E5B7126AAF389B6FAC5E78B5605
SHA-512:	EFEB14E8B3A335D6A85981A296D2A522942589F14C989C3C24F136CD546149912BA292C49EB51E4B32E70899EEED7CB4D9EEA22E33F912573FD77E39EBBD9EE7
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.6.0.7.8.6.9.7.9.6.7.9.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.6.0.7.8.7.0.2.9.1.8.0.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.a.2.0.c.d.f.-.6.e.c.0.-.4.7.3.2.-.b.d.0.4.-.b.d.9.5.6.9.7.9.e.b.0.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.1.e.8.e.0.e.-.e.a.2.9.-.4.c.4.d.-.a.a.d.7.-.6.3.a.8.5.0.f.a.c.4.7.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.U.p.d.a.t.e.U.i.C.l.i.e.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.a.8.-.0.0.0.1.-.0.0.1.6.-.0.3.0.2.-.b.a.9.5.1.d.b.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.9.3.6.d.0.8.8.8.2.d.f.a.4.0.4.8.5.c.c.4.a.3.d.3.4.c.e.d.3.1.6.0.0.0.0.f.f.f.f.!.0.0.0.0.8.a.6.c.f.3.a.a.2.1.9.3.5.c.6.6.f.2.9.e.5.6.0.2.6.e.5.c.e.d.9.2.f.2.e.7.8.7.f.9.!.U.p.d.a.t.e.U.i.C.l.i.e.n.t...e.x.e.....T.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CE1.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri May 31 05:45:20 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	31700
Entropy (8bit):	2.4015367543461084
Encrypted:	false
SSDEEP:
MD5:	E216173BED809926965DF106370322EA
SHA1:	E4D4A7C8CE9B540ED4ED4CFD5F05CB2993DAAAF9
SHA-256:	B774AF0B7AC8749CC6B4EA11970A779A86D9FF0F336158ADFE1AEB71D0D2976C
SHA-512:	4E416C910941F63D89ED93F19EE77BE7D4B98C4B2754800616834F4C8A6BCECCAEBCEE2448E2261EF30C79D2F20B005375CDAB33BAA4E5BF4ED58F6F4AFA2F1E
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... ........cYf............4...............<.......d...p)..........T.......8...........T................_......................................................................................................eJ......p.......GenuineIntel............T............cYf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D20.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8332
Entropy (8bit):	3.7006601563719714
Encrypted:	false
SSDEEP:
MD5:	77971F5578641535FE831A51A3B80709
SHA1:	744418D305E6ACD37641FA4935CB66844FC089D7
SHA-256:	49DAED6B4D56642B5BE6410BAAE1C63F66576C059D530F94B69AB06DB760378B
SHA-512:	8FFE92903E97405B6A0B1B834220A15AFE379A46336A3006918F517BA33CD7DB396F43736F2107397385C35D39BDE3A4731C460BDDBB7C61A239C5D1FBCA1545
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.6.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D41.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4644
Entropy (8bit):	4.4942715268298175
Encrypted:	false
SSDEEP:
MD5:	E111C461911B4D77368B74E22194B973
SHA1:	07BEC7D21D1B3FC8C2F5832132A7CED2AA3086A4
SHA-256:	1BEC00D7A25425F51173E224ABDACFB20A73FA430A99DC2538282CF106AFF6BE
SHA-512:	A9C9439D0E0D6E12D6242FE51BDE55D367ADC4E2E5F8FA9C8E28EE76897855C0A46A0CA2A18A06263CBEABC04F017ECC7C08D2FF27BD40586BB301D42D7ACAB9
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="346848" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER56A3.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri May 31 05:44:29 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	31740
Entropy (8bit):	2.4015701066802864
Encrypted:	false
SSDEEP:
MD5:	41C3983730D932D7FA9DC610AD3D8A38
SHA1:	780A83FD329B8DAD831A29AF1744354DBE97F017
SHA-256:	F28326A89DF466D5529C4DB0B70D67BCBB95529470FF5F67A0209A5D9B2BE1CC
SHA-512:	4113487628D400C7F818D62DDE49DB6D9B6E08645844CD9235C8BA2E744C971F5C8BE6EBB09F80686D6C6E6BD31DE1534E61EB5A6761C19C06FA282A4B51B12D
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... ........cYf............4...............<.......d...p)..........T.......8...........T...........0...._......................................................................................................eJ......p.......GenuineIntel............T............cYf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5740.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8354
Entropy (8bit):	3.6994881779965096
Encrypted:	false
SSDEEP:
MD5:	AB5743CCCA37B6BB0A061C9D7E37C59D
SHA1:	38F06E15207DCE84D1E45F0AE7CB2951BFF48E41
SHA-256:	E933E1325480438F6E2AE451D266AFC96B33C0BDBFC9CE7D8D11B96BB1666D07
SHA-512:	8A1624D8732CE2C1A830A6DA17B51FA8727937DA38B029FEA2DF45CE67E7D9E38D4F3F5422DB88EF1D54699CBE5018D7ECEF7B1CB4A78CF4A44F4C14977BAB04
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5760.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4644
Entropy (8bit):	4.491141612598209
Encrypted:	false
SSDEEP:
MD5:	0633A2B7081B19AD2209FDCDB1C2A30D
SHA1:	D433C87DD8EBA26D40785919D0B25C7E712710AF
SHA-256:	E6FE85AF58000358BFAB55AE908A2B7AA54AFF6D3D5BC088EE630A3CB4604CFB
SHA-512:	939CB434D6A13E2F45C3584BFBEE74794438621D176D9AF52F65CE6F1B731C42016807EDD4D54BE525AD14C430581F0115583CD07219669A73504995BFE6DD4E
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="346847" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\52771410

Download File

Process:	C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe
File Type:	data
Category:	modified
Size (bytes):	8312370
Entropy (8bit):	7.8804987348845446
Encrypted:	false
SSDEEP:
MD5:	81C188D882437CCEC539C5AAFE88A583
SHA1:	8C1B37FD35FC09E16AEE42CFAC115A3C3A40B105
SHA-256:	925F175E4AE4B49AB5E8F31805A482BF280F51B679551D47718CD8A48574F39B
SHA-512:	107CEAB84A7373A52857722B5D736C8ED3222E708127D573520B1D01CD3010A1D865E8D0BE17009F2CEFFF0C4352514AC0CF458370672DBA41ED93D176868B9C
Malicious:	false
Reputation:	unknown
Preview:	X...[...[...[...Z...?...O...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...~.......~..8.4...4......./...5...).:...../...[...[...[...[...[...[...[...[...[...[...[.....2...7.....[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[.....>...:.[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...~........).=.....).,.[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...-...u...i...[...[...[...[...[...[...[...[...[...[...

C:\Users\user\AppData\Local\Temp\6ef993a2

Download File

Process:	C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe
File Type:	data
Category:	dropped
Size (bytes):	8312370
Entropy (8bit):	7.880498722028444
Encrypted:	false
SSDEEP:
MD5:	1D28BE655D6E34087A25F1F116800D68
SHA1:	D81A72ED8A56A0CAB4BA6B04E80391765D2C856A
SHA-256:	CA168C98EE9971BA77B3EB7FC86210A6C7536EA98C9AD8624E3BDCEB0E6B1C72
SHA-512:	FDDFC9C3359560C4B2510F8FFF63B812F409C2DA3618E4528154478322181E59FEBA4F51B8D0106C64370AF41F4D1BECF2DD183E1B04F288A686BCC749BE58F6
Malicious:	false
Reputation:	unknown
Preview:	X...[...[...[...Z...?...O...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...~.......~..8.4...4......./...5...).:...../...[...[...[...[...[...[...[...[...[...[...[.....2...7.....[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[.....>...:.[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...~........).=.....).,.[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...-...u...i...[...[...[...[...[...[...[...[...[...[...

C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2176000
Entropy (8bit):	6.5761624004996895
Encrypted:	false
SSDEEP:
MD5:	3C4D3348418C783EDE10B71147965BF1
SHA1:	8A6CF3AA21935C66F29E56026E5CED92F2E787F9
SHA-256:	24AE84C48D0AE8CE587C311D88AF1640991B56850D38CC40106EA84C371CAEFD
SHA-512:	096384CDC89A1688BE380095C2BE807EDF42B7C726F5D3337585978C3C510C91315F63ECBDF8635251981275D2306E64C913C9657C6B14BE42672E35A26817EA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.R.................L...0!..............`....@...........................8......!....... ...............................7.h.............................................................7.......................7.T............................text...xJ.......L..................`.P`.data........`.......P..............@.`..rdata...7.......8..................@.`@.rodata......0!.......!.............@.`@.bss....@....@!.......................`..idata..h.....7...... !.............@.0..CRT....4.....7......0!.............@.0..tls.... .....7......2!.............@.0.................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5444096
Entropy (8bit):	6.80364452893665
Encrypted:	false
SSDEEP:
MD5:	D4E34E06EB5AD8E97C7BD2F239B2972D
SHA1:	13106CD27B98FA6783E6CF5B502FB575E5B20945
SHA-256:	62A3062E44B28118E6FDE6801DA66C3678133BA3E44AF4F15D5A2DEE4514A540
SHA-512:	A465F2FB7B2B86378C4F14CF37A396C6A4F41E4A470CBB9F7CCE9CFE45637A4E4CD71AE527843122D0DB8F3183A7225DFC737A1146A4AFC740E62BC521EA4E0D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D%.\%K}\%K}\%K}3S.}R%K}3S.}.%K}U].}Y%K}U].}P%K}.\J\|_%K}\%J}/%K}3S.}w%K}3S.}]%K}Rich\%K}........................PE..L....w.L.........."...........Q.....OO............@...........................t......!S...@...S.X.....S.X............................s.......................s..-......................................................l............................text............................... ..`.rdata..t...........................@..@.data...8.q.......O.................@....rsrc.........s......zR.............@..@.reloc........s......\|R.............@..Bejyg..... ...`t.......R.............@...................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 30 04:43:34 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9827910531209083
Encrypted:	false
SSDEEP:
MD5:	9E35DBE0DD7FCB841725F491F1CC8041
SHA1:	3650BED038CE608A84B2DC2A5F913F4159F8A5F9
SHA-256:	B0C119A3F0EC9A2385B2AC93DF5EEABF07F876F4E551C44FE0BC06BD3D342501
SHA-512:	D472E58B3852A75DEC269B1DAE93FA3534E0E92709962C32B85C12FBDF56EA39BB7AD9A5F4B3A7D44A647F5799653FFB14B97B7CABF49756E73ED588D090914B
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,......"z....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Xh-....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xq-....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xq-....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xq-..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xr-...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............h.U.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 30 04:43:34 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.9982288617741526
Encrypted:	false
SSDEEP:
MD5:	D23ED3E99FA622339366266446F06DC7
SHA1:	BB152B77B6AE7893893D0C67948E9CA686A91D10
SHA-256:	9CCAE2351697B89FA9674EAB361D503CD6B400F17B06A474F72D45B3E8DCEE9F
SHA-512:	DBFD00F4521AD3C9CE25AB9DB214660C43061EB3917B75CED44D89DD15781131E2AAFD1650696312A04115F632DD5720735C3109AE57066F8158700E5527126C
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......z....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Xh-....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xq-....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xq-....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xq-..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xr-...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............h.U.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.004245365099493
Encrypted:	false
SSDEEP:
MD5:	D01AAB165F1E49EB974E05706BC10B51
SHA1:	751370AFDC3BB117CDA6467B05FCEA36D3B19630
SHA-256:	D34B7E3F4E63821B8CA3C1F40F659AB971BA8649F94D2D12B0D271EB96674FBE
SHA-512:	3DCEBD6EC0E5C4C8C804A3591853BAF1FB01EBC44A0D77323B248EC7856FAC47DB0B682E9EBE462B18FE26CE7CA0CA699DDF6C5CF864F3FB5DB713CD7F0A1B4C
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Xh-....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xq-....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xq-....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xq-..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............h.U.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 30 04:43:34 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.995280071618079
Encrypted:	false
SSDEEP:
MD5:	79A705458D387B02E6141B434ADB936B
SHA1:	5964A075826B1947644A7E61831161A05BACD812
SHA-256:	14ED3058D263A2BEBC739324AAAA8B86A7CD7AF40BB4B28FD5C55561D3D29AF9
SHA-512:	37EE49914AF13F32156C3C72C2F2315CCACB91D561019ED66F1D16177F649CCDF36832CADD3CAAB1EE1C0CDB6E28C41973E7F9A96961BA777029E821EB4EB984
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,......z....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Xh-....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xq-....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xq-....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xq-..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xr-...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............h.U.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 30 04:43:34 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9829426459461588
Encrypted:	false
SSDEEP:
MD5:	F0D398339569F05074EDBDFC143D53C4
SHA1:	3F393580EBDB175CBEE7A04BCA15AD3581FE0975
SHA-256:	CD2DB6D267003B48D00A994505F37049AA178BC8D2A6D3385B6760382456BDB3
SHA-512:	3791EE869E5925853785AB884DB83C6BE7CCF4EA12609F2ABF0D4CBDAFE7351BD99B0F91A04F03D204B3D84E529775BA91B8EADBDA8D391BA2A77A9D924C9F50
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....X.z....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Xh-....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xq-....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xq-....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xq-..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xr-...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............h.U.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 30 04:43:34 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.992732785325061
Encrypted:	false
SSDEEP:
MD5:	1DD55E027CF160C7A6A782F23F920212
SHA1:	F85BEC8BA59358F102A300387F79E5F4A25979B6
SHA-256:	882177653ACBF30FFA543BDB97F7EF97187735A987ACC15CC465E6CF85064CA8
SHA-512:	960A1A05ED93742CDEBC2A88E036CB4603C9DD597CE2D49B0FEB65AD4DCCBA45BBD5C24056BD944A305A63B4DBD5DCAE5612A3F701B2161F0063731196EF708A
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....._.z....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Xh-....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xq-....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xq-....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xq-..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xr-...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............h.U.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\coml2\WebUI.dll

Download File

Process:	C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8009984
Entropy (8bit):	6.70661807089404
Encrypted:	false
SSDEEP:
MD5:	20092B4ECD2B2561C5C7B5239A0D7EE0
SHA1:	23B9719A55B8EE4B372332A00EFFBE49CF626A52
SHA-256:	4592EF153E6BF3C9EAA7BD151F8F598063EFC4DF628D2CDEE71F18BAE9096CBC
SHA-512:	5A9235E503DDC0AAE61917C33FE4A474095FBE3E37D6B5BCADAACD1B1DB636606581E6A818DBCE9CD2F88352FE6D90505A9DDF0AC828D4DBDBD30287567C6E75
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 79% Antivirus: Virustotal, Detection: 72%, Browse Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............uF.uF.uFs..F.uF...F..uF.c.F.uF.c.F.uF.tF..uF...F..uF...F.uF...F.uF...F.uF...F.uF...F.uFRich.uF........................PE..L...A..R...........!.....^U..@%.............pU...............................z......nz...@..........................vq......Tq.......t...............y..;....t..F...wU..............................gn.@............pU.D............................text...`]U......^U................. ..`.rdata..+....pU......bU.............@..@.data...H.....q..z...lq.............@....unwanted.....t.......s.............@..@.rsrc.........t.......s.............@..@.reloc........t.......s.............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\coml2\WebUI.dll:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.976126442398664
Encrypted:	false
SSDEEP:
MD5:	D001E433C78FBBC0C9E19E1953C07AD1
SHA1:	B80056A2510C0BF2635EB965BC241FDA4828975E
SHA-256:	044AF74E87E3E0113136218D3D39D33FC986333BD6F518097E20457943DD7BA1
SHA-512:	6F7FD6252FA3BA180894A441950B288AFC67E4F2D625B2D04D9871C652A967B2B2815F0EC504BBA9BAEB6064DC7C928C2D3A58693C17CE497DC3FE9492BB2E16
Malicious:	false
Reputation:	unknown
Preview:	[ZoneTransfer]..ZoneId=3..ReferrerUrl=C:\Users\user\Downloads\@!Pa sc0d.__-NewFiLes.zip..

C:\Users\user\AppData\Roaming\coml2\cortex.dmg

Download File

Process:	C:\Users\user\Desktop\Setup_Free-Installer\Setup_Free-File.exe
File Type:	data
Category:	dropped
Size (bytes):	7147950
Entropy (8bit):	7.982010238204096
Encrypted:	false
SSDEEP:
MD5:	2B9217F3132873190B8FF0263502E31C
SHA1:	6717C87A1111B83174D7ECC07D9CA235E0AF0CE5
SHA-256:	865F091C9053CDC8256D5515B7D79D6673942BDBB97ADF6F23A56F78921EC242
SHA-512:	D1B017EE6A930F9E277819E90C4CF7F3EC0C9B07D89D214F118CF4411D8BEE2C08830089B817DCB6D0A0BBD6E77625DAB46A11C5F84D835D657A477D649164AB
Malicious:	false
Reputation:	unknown
Preview:	My.S.ZkSQ.Ho.......D...l.sfo.`G...Z.lMF..k...D.[m.ea.\..q..y..BH.C....x.gm.o.\p.....qnTug.._..F.Y.r...Bvs.Qobn..G..Q.INygM..p..C..a..S.D.Q..e.L..IQhPE..^.N....jpd..S..f..ewA.xuS..N.......v]Md.fiVMl.]q.....wwH..........`q..U.mB.Lx.q...b....Y..[.F.cD..q.q.A..x...\w.\...K.v..arIi.MJ..\.k.s...`..e.....K.[TH..]R.aF[.....FvjA.`.W....Ie.Pbeu.S.c`Gb.U.Z.......\.GJKUf.nX..i..rL....FIm....u.`...L..Wik.i^.ZZN....Y..MxW_L..S.UQ.......x_Cf.FBvG.x.c..O....t....w.o`.]A.......Cm..F.^.J...tv..Z..Jfka.....qd..J`lyl.F.....q....N.]ffJ^j.....DhE..wVBo.kg.^.sj.A.....O..w...u.lggFTY^..^Bh.Btm.r[.Uy.j.BA.w.C..b..wDr..nRp....^...B.PZv.qUM.....ZAIR.mu..Ho..qw.ugZuG.gr.rt..`.RkY.......\...Se..w..YmU.e...a..ee\.v].....Mb.BP...AO.K..Ah.........s.M.C.uo.I.Fv.WcRX..q.v....F.P.m]..`lp..tPL...JSop..sU.j.t..Wc^.iY...r.t[jwJ...gX...v.oAp`]jW._Dh.[u..gD.f...d...acY.P.h..o..B..PQD....d.p...Mh..`i.nx.Zo^I...ush.s.Br.d.M..y..rq...^..P\.[le.f....C..VYy\an..h........]ne....SiJl.TZ.....L...N..xyK^..vR......S.KG.EI..D.I..n..V..

C:\Users\user\Downloads\50162c2c-b0ca-4a13-a296-7b47c924b577.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	8265232
Entropy (8bit):	7.998492782389073
Encrypted:	true
SSDEEP:
MD5:	971ED8B67CD948A117267AB18C3E3C72
SHA1:	E308754A149749728DE8685F46F8AAB8A7F0CFD2
SHA-256:	92898F2D7552855FE1E5630F1BC9539B637F1366F2C265D1DF95F41130CFF06A
SHA-512:	C6D1587D4154664D9B8F3711C8AADB2E3311A951837715331EC70233BA6DC1C8D8529BC202DA71945872F251FCCB80851C4DEACCA0538518B3917D55D945F800
Malicious:	false
Reputation:	unknown
Preview:	PK........H/sX............,...@!Pa sc0d.__-NewFiLes/Setup_Free-Installer/UT...x).e.cYfux.............PK.........+.R..DC.....(.:...@!Pa sc0d.__-NewFiLes/Setup_Free-Installer/libvlccore.dllUT......`...`ux..............\.x.U....J{0..b].%@.."..R......(. .E..Hk....j.@.5............. >(.)(.\|.., pEL,.pA@@r..1m...I....23.......?g....:H.d..pX..J.........n.Vw..}....{...Y...WN..N.<c.L.uJ...j..d..1:.Z>...O...6F#{.$9.HZ0`...4.vP..{.!.z.u......I.k._+.I.Rr.G.60.).^...@/..&.y....B..7K5.0.4..C..4).c.n) ...X.4..G..f)....0MJ...&.4r:.O.Wq...+..R...Q.....>E.]..~...X.K.qv...O%...z54@.....h.........;%...P.us.t.7k.y.1....o1.K..L..p...+........o\4.......7.';...3.UF..../8.gUN.{b[......q.e3a .5.\...;/.7.........O.h.....?9..)MF..n.KO%K.F...\|.p......._.}u...............8........,.\....r..~...`^....!c...oZR.no6..%...R.o<G..0...c.w.....U.Zv.n<g..u.A.....w:Y".=.-..M..I.S...q<g....p.2l..S..F. ..Z...\..R..]..w.X..X~...15...H..:.........{.u_.....W*.......rm..l.%...=G...6.

C:\Users\user\Downloads\@!Pa sc0d __-NewFiLes (1).zip.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	13348368
Entropy (8bit):	7.999304334825533
Encrypted:	true
SSDEEP:
MD5:	9B034D4EFABDB2C209FA4793319C58F0
SHA1:	238A7B1374E6782A8DCCCD2559ED207EAAB020B3
SHA-256:	0AF36CE40866DEC4ED5E1AC91663040C062360BFD7A166A0AB598F2F8571F1B5
SHA-512:	4D8535D5EBB096CD0CBA7B94FBD17979B114A5CE42525AECE3E863AF61C042E12DFDA08179B767440BB0A264C7C6F169844FEF3C155C8F6235805D636AB6FD7A
Malicious:	false
Reputation:	unknown
Preview:	PK........H/sX............,...@!Pa sc0d.__-NewFiLes/Setup_Free-Installer/UT...x).e.cYfux.............PK.........+.R..DC.....(.:...@!Pa sc0d.__-NewFiLes/Setup_Free-Installer/libvlccore.dllUT......`...`ux..............\.x.U....J{0..b].%@.."..R......(. .E..Hk....j.@.5............. >(.)(.\|.., pEL,.pA@@r..1m...I....23.......?g....:H.d..pX..J.........n.Vw..}....{...Y...WN..N.<c.L.uJ...j..d..1:.Z>...O...6F#{.$9.HZ0`...4.vP..{.!.z.u......I.k._+.I.Rr.G.60.).^...@/..&.y....B..7K5.0.4..C..4).c.n) ...X.4..G..f)....0MJ...&.4r:.O.Wq...+..R...Q.....>E.]..~...X.K.qv...O%...z54@.....h.........;%...P.us.t.7k.y.1....o1.K..L..p...+........o\4.......7.';...3.UF..../8.gUN.{b[......q.e3a .5.\...;/.7.........O.h.....?9..)MF..n.KO%K.F...\|.p......._.}u...............8........,.\....r..~...`^....!c...oZR.no6..%...R.o<G..0...c.w.....U.Zv.n<g..u.A.....w:Y".=.-..M..I.S...q<g....p.2l..S..F. ..Z...\..R..]..w.X..X~...15...H..:.........{.u_.....W*.......rm..l.%...=G...6.

C:\Users\user\Downloads\@!Pa sc0d __-NewFiLes.zip.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	25766452
Entropy (8bit):	7.998950991964509
Encrypted:	true
SSDEEP:
MD5:	349280AE97ADF89F479E287F8E984854
SHA1:	A1FD690960CA1B71DAAAA844B8654CAA4C450B45
SHA-256:	95B99C1C104C15F506512E1BCEC38B839A47A27081E21B992703103A9EF9C48E
SHA-512:	64C174B11D0BDECD10B88743FF42A41D10E861E76E6DF9D5499FC9054AEC0FCB1BA06169411F5537A650FB1729F425F3F0C7E0D73ED2B69FBE08B05923514315
Malicious:	false
Reputation:	unknown
Preview:	PK........H/sX............,...@!Pa sc0d.__-NewFiLes/Setup_Free-Installer/UT...x).e.cYfux.............PK.........+.R..DC.....(.:...@!Pa sc0d.__-NewFiLes/Setup_Free-Installer/libvlccore.dllUT......`...`ux..............\.x.U....J{0..b].%@.."..R......(. .E..Hk....j.@.5............. >(.)(.\|.., pEL,.pA@@r..1m...I....23.......?g....:H.d..pX..J.........n.Vw..}....{...Y...WN..N.<c.L.uJ...j..d..1:.Z>...O...6F#{.$9.HZ0`...4.vP..{.!.z.u......I.k._+.I.Rr.G.60.).^...@/..&.y....B..7K5.0.4..C..4).c.n) ...X.4..G..f)....0MJ...&.4r:.O.Wq...+..R...Q.....>E.]..~...X.K.qv...O%...z54@.....h.........;%...P.us.t.7k.y.1....o1.K..L..p...+........o\4.......7.';...3.UF..../8.gUN.{b[......q.e3a .5.\...;/.7.........O.h.....?9..)MF..n.KO%K.F...\|.p......._.}u...............8........,.\....r..~...`^....!c...oZR.no6..%...R.o<G..0...c.w.....U.Zv.n<g..u.A.....w:Y".=.-..M..I.S...q<g....p.2l..S..F. ..Z...\..R..]..w.X..X~...15...H..:.........{.u_.....W*.......rm..l.%...=G...6.

C:\Users\user\Downloads\@!Pa sc0d.__-NewFiLes (1).zip.crdownload (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	971ED8B67CD948A117267AB18C3E3C72
SHA1:	E308754A149749728DE8685F46F8AAB8A7F0CFD2
SHA-256:	92898F2D7552855FE1E5630F1BC9539B637F1366F2C265D1DF95F41130CFF06A
SHA-512:	C6D1587D4154664D9B8F3711C8AADB2E3311A951837715331EC70233BA6DC1C8D8529BC202DA71945872F251FCCB80851C4DEACCA0538518B3917D55D945F800
Malicious:	false
Reputation:	unknown
Preview:	PK........H/sX............,...@!Pa sc0d.__-NewFiLes/Setup_Free-Installer/UT...x).e.cYfux.............PK.........+.R..DC.....(.:...@!Pa sc0d.__-NewFiLes/Setup_Free-Installer/libvlccore.dllUT......`...`ux..............\.x.U....J{0..b].%@.."..R......(. .E..Hk....j.@.5............. >(.)(.\|.., pEL,.pA@@r..1m...I....23.......?g....:H.d..pX..J.........n.Vw..}....{...Y...WN..N.<c.L.uJ...j..d..1:.Z>...O...6F#{.$9.HZ0`...4.vP..{.!.z.u......I.k._+.I.Rr.G.60.).^...@/..&.y....B..7K5.0.4..C..4).c.n) ...X.4..G..f)....0MJ...&.4r:.O.Wq...+..R...Q.....>E.]..~...X.K.qv...O%...z54@.....h.........;%...P.us.t.7k.y.1....o1.K..L..p...+........o\4.......7.';...3.UF..../8.gUN.{b[......q.e3a .5.\...;/.7.........O.h.....?9..)MF..n.KO%K.F...\|.p......._.}u...............8........,.\....r..~...`^....!c...oZR.no6..%...R.o<G..0...c.w.....U.Zv.n<g..u.A.....w:Y".=.-..M..I.S...q<g....p.2l..S..F. ..Z...\..R..]..w.X..X~...15...H..:.........{.u_.....W*.......rm..l.%...=G...6.

C:\Users\user\Downloads\@!Pa sc0d.__-NewFiLes.zip (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	349280AE97ADF89F479E287F8E984854
SHA1:	A1FD690960CA1B71DAAAA844B8654CAA4C450B45
SHA-256:	95B99C1C104C15F506512E1BCEC38B839A47A27081E21B992703103A9EF9C48E
SHA-512:	64C174B11D0BDECD10B88743FF42A41D10E861E76E6DF9D5499FC9054AEC0FCB1BA06169411F5537A650FB1729F425F3F0C7E0D73ED2B69FBE08B05923514315
Malicious:	false
Reputation:	unknown
Preview:	PK........H/sX............,...@!Pa sc0d.__-NewFiLes/Setup_Free-Installer/UT...x).e.cYfux.............PK.........+.R..DC.....(.:...@!Pa sc0d.__-NewFiLes/Setup_Free-Installer/libvlccore.dllUT......`...`ux..............\.x.U....J{0..b].%@.."..R......(. .E..Hk....j.@.5............. >(.)(.\|.., pEL,.pA@@r..1m...I....23.......?g....:H.d..pX..J.........n.Vw..}....{...Y...WN..N.<c.L.uJ...j..d..1:.Z>...O...6F#{.$9.HZ0`...4.vP..{.!.z.u......I.k._+.I.Rr.G.60.).^...@/..&.y....B..7K5.0.4..C..4).c.n) ...X.4..G..f)....0MJ...&.4r:.O.Wq...+..R...Q.....>E.]..~...X.K.qv...O%...z54@.....h.........;%...P.us.t.7k.y.1....o1.K..L..p...+........o\4.......7.';...3.UF..../8.gUN.{b[......q.e3a .5.\...;/.7.........O.h.....?9..)MF..n.KO%K.F...\|.p......._.}u...............8........,.\....r..~...`^....!c...oZR.no6..%...R.o<G..0...c.w.....U.Zv.n<g..u.A.....w:Y".=.-..M..I.S...q<g....p.2l..S..F. ..Z...\..R..]..w.X..X~...15...H..:.........{.u_.....W*.......rm..l.%...=G...6.

C:\Users\user\Downloads\@!Pa sc0d.__-NewFiLes.zip.crdownload (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	3781B0A7610F0AE18DB59B0C9C3C1BCF
SHA1:	11369FF99C08AB88D6262C0805969AF9BF6D398D
SHA-256:	33C36C72CEC24EED70A7725F893958D0FF8035FF1926F85CC6D7EA1184D01D22
SHA-512:	8A59EDA0D2A1C1BC80E5035C1C29F8043346CD1B0478DCA32A6EBE31042CB5CD660C53501552FFEE230A1E38079190DBCB2090ACF93445DD10237AB05DDEF416
Malicious:	false
Reputation:	unknown
Preview:	PK........H/sX............,...@!Pa sc0d.__-NewFiLes/Setup_Free-Installer/UT...x).e.cYfux.............PK.........+.R..DC.....(.:...@!Pa sc0d.__-NewFiLes/Setup_Free-Installer/libvlccore.dllUT......`...`ux..............\.x.U....J{0..b].%@.."..R......(. .E..Hk....j.@.5............. >(.)(.\|.., pEL,.pA@@r..1m...I....23.......?g....:H.d..pX..J.........n.Vw..}....{...Y...WN..N.<c.L.uJ...j..d..1:.Z>...O...6F#{.$9.HZ0`...4.vP..{.!.z.u......I.k._+.I.Rr.G.60.).^...@/..&.y....B..7K5.0.4..C..4).c.n) ...X.4..G..f)....0MJ...&.4r:.O.Wq...+..R...Q.....>E.]..~...X.K.qv...O%...z54@.....h.........;%...P.us.t.7k.y.1....o1.K..L..p...+........o\4.......7.';...3.UF..../8.gUN.{b[......q.e3a .5.\...;/.7.........O.h.....?9..)MF..n.KO%K.F...\|.p......._.}u...............8........,.\....r..~...`^....!c...oZR.no6..%...R.o<G..0...c.w.....U.Zv.n<g..u.A.....w:Y".=.-..M..I.S...q<g....p.2l..S..F. ..Z...\..R..]..w.X..X~...15...H..:.........{.u_.....W*.......rm..l.%...=G...6.

C:\Users\user\Downloads\d4c7ac12-a2c7-44a6-b450-530f5f6f054f.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	11792
Entropy (8bit):	7.960049369507164
Encrypted:	false
SSDEEP:
MD5:	3781B0A7610F0AE18DB59B0C9C3C1BCF
SHA1:	11369FF99C08AB88D6262C0805969AF9BF6D398D
SHA-256:	33C36C72CEC24EED70A7725F893958D0FF8035FF1926F85CC6D7EA1184D01D22
SHA-512:	8A59EDA0D2A1C1BC80E5035C1C29F8043346CD1B0478DCA32A6EBE31042CB5CD660C53501552FFEE230A1E38079190DBCB2090ACF93445DD10237AB05DDEF416
Malicious:	false
Reputation:	unknown
Preview:	PK........H/sX............,...@!Pa sc0d.__-NewFiLes/Setup_Free-Installer/UT...x).e.cYfux.............PK.........+.R..DC.....(.:...@!Pa sc0d.__-NewFiLes/Setup_Free-Installer/libvlccore.dllUT......`...`ux..............\.x.U....J{0..b].%@.."..R......(. .E..Hk....j.@.5............. >(.)(.\|.., pEL,.pA@@r..1m...I....23.......?g....:H.d..pX..J.........n.Vw..}....{...Y...WN..N.<c.L.uJ...j..d..1:.Z>...O...6F#{.$9.HZ0`...4.vP..{.!.z.u......I.k._+.I.Rr.G.60.).^...@/..&.y....B..7K5.0.4..C..4).c.n) ...X.4..G..f)....0MJ...&.4r:.O.Wq...+..R...Q.....>E.]..~...X.K.qv...O%...z54@.....h.........;%...P.us.t.7k.y.1....o1.K..L..p...+........o\4.......7.';...3.UF..../8.gUN.{b[......q.e3a .5.\...;/.7.........O.h.....?9..)MF..n.KO%K.F...\|.p......._.}u...............8........,.\....r..~...`^....!c...oZR.no6..%...R.o<G..0...c.w.....U.Zv.n<g..u.A.....w:Y".=.-..M..I.S...q<g....p.2l..S..F. ..Z...\..R..]..w.X..X~...15...H..:.........{.u_.....W*.......rm..l.%...=G...6.

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.310136744468431
Encrypted:	false
SSDEEP:
MD5:	BC4267FB6790D9E77ED1EB3ACBE3EC42
SHA1:	D456D4F487B07BADBD2B5187A3214FD130F9693F
SHA-256:	FE6E0AD0F0BA70E130168BF7CAF29A80A587FFDEDD22EA9F3D155F2E5743F091
SHA-512:	1FE17DECB37708ECF6E3CF974BE3DDAED12484C96D341D39CB81C6BBD05B01585415579582663A08A0E5020FE3EB4E52F236F3D81F9A6DFC93472E9B48CA9CDE
Malicious:	false
Reputation:	unknown
Preview:	regfF...F....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

⊘No static file info

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_UpdateUiClient.e_6831b777b31e168c889b7440368edef2f65358c6_4370b9a3_44602666-f85a-4920-938b-350ad7f2947c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_UpdateUiClient.e_6831b777b31e168c889b7440368edef2f65358c6_4370b9a3_67a20cdf-6ec0-4732-bd04-bd956979eb0d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CE1.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D20.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D41.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER56A3.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5740.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5760.tmp.xml

C:\Users\user\AppData\Local\Temp\52771410

C:\Users\user\AppData\Local\Temp\6ef993a2

C:\Users\user\AppData\Local\Temp\UpdateUiClient.exe

C:\Users\user\AppData\Local\Temp\nxhpvkaohbmy

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\AppData\Roaming\coml2\WebUI.dll

C:\Users\user\AppData\Roaming\coml2\WebUI.dll:Zone.Identifier

C:\Users\user\AppData\Roaming\coml2\cortex.dmg

C:\Users\user\Downloads\50162c2c-b0ca-4a13-a296-7b47c924b577.tmp

C:\Users\user\Downloads\@!Pa sc0d __-NewFiLes (1).zip.crdownload

C:\Users\user\Downloads\@!Pa sc0d __-NewFiLes.zip.crdownload

C:\Users\user\Downloads\@!Pa sc0d.__-NewFiLes (1).zip.crdownload (copy)

C:\Users\user\Downloads\@!Pa sc0d.__-NewFiLes.zip (copy)

C:\Users\user\Downloads\@!Pa sc0d.__-NewFiLes.zip.crdownload (copy)

C:\Users\user\Downloads\d4c7ac12-a2c7-44a6-b450-530f5f6f054f.tmp

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info