Windows Analysis Report file.exe

C2 URLs / IPs found in malware configuration

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49707 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\BuildServer\bna-2\work-git\bootstrapper-repository\src\Release\Bootstrapper.pdbs source: file.exe
Source:	Binary string: D:\BuildServer\bna-2\work-git\bootstrapper-repository\src\Release\Bootstrapper.pdb source: file.exe

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_02F8C6B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_02F8D690
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F977D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F977D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F89FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F89FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9738D GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_02F9738D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F964C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	0_2_02F964C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_02F8BC98
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F81443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F81443
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8C039 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F8C039
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F8E016
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F96D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_02F96D7D

Networking

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199730044335
Source: Malware configuration extractor	URLs: https://t.me/bu77un

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49708 -> 116.202.180.70:5432

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /bu77un HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F84AD5 GetProcessHeap,RtlAllocateHeap,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_02F84AD5

Source: global traffic

HTTP traffic detected: GET /bu77un HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: file.exe	String found in binary or memory: http:///1.18.10.3141/Apps/Battle.net.agent.db
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: file.exe, 00000000.00000002.2334293329.00000000009F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: file.exe, 00000000.00000003.2227716018.000000000A074000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2227655043.000000000A06D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2227758478.000000000A07D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c5c6e24cd307b
Source: file.exe	String found in binary or memory: http://iir.blizzard.com:3724/submit/BNET_APP
Source: file.exe	String found in binary or memory: http://iir.blizzard.com:3724/submit/BNET_APPUnknown
Source: file.exe	String found in binary or memory: http://nydus.battle.net/App/%s/setup/error/%s
Source: file.exe	String found in binary or memory: http://nydus.battle.net/geoip
Source: file.exe	String found in binary or memory: http://nydus.battle.net/geoipX-Geoip-RegionX-Geoip-CountryUSCNSEASGGETd:
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe	String found in binary or memory: http://scripts.sil.org/OFL
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe	String found in binary or memory: http://www.google.com/get/noto/
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70/
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/1
Source: file.exe, 00000000.00000002.2339985934.000000000A06D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/2
Source: file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/T
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/Y/h
Source: file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/dows
Source: file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/ps;PATHEXT=.CO
Source: file.exe, 00000000.00000002.2336090672.00000000030B9000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/sqlt.dll
Source: file.exe, 00000000.00000002.2336090672.00000000030B9000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/sqlt.dll4
Source: file.exe, 00000000.00000002.2336090672.00000000030B9000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/sqlt.dllnamK.exe
Source: file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/talV
Source: file.exe, 00000000.00000002.2336090672.0000000003148000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432Content-Disposition:
Source: file.exe, 00000000.00000002.2336090672.0000000003148000.00000004.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2336090672.0000000002FB0000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432rss.exe
Source: file.exe	String found in binary or memory: https://bitwarden.com
Source: file.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: file.exe	String found in binary or memory: https://nydus.battle.net/App/%s/setup/app
Source: file.exe	String found in binary or memory: https://nydus.battle.net/App/%s/setup/appSelected
Source: file.exe, file.exe, 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199730044335
Source: file.exe, 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199730044335hellosqlt.dllsqlite3.dll
Source: file.exe, 00000000.00000002.2334293329.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: file.exe, 00000000.00000002.2336090672.0000000002FC5000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://t.me/bu77un
Source: file.exe, 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/bu77unguf_hMozilla/5.0
Source: file.exe	String found in binary or memory: https://telemetry-in.battle.net/data
Source: file.exe	String found in binary or memory: https://telemetry-in.battlenet.com.cn/data
Source: file.exe	String found in binary or memory: https://telemetry-in.battlenet.com.cn/datahttps://telemetry-in.battle.net/data
Source: file.exe, 00000000.00000003.2210215100.0000000000A27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: file.exe	String found in binary or memory: https://www.openssl.org/docs/faq.html

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49707 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F93160 memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

0_2_02F93160

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2334234419.0000000000976000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00977D3D NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00977D3D

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00977D3D	0_2_00977D3D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094037D	0_2_0094037D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009604E6	0_2_009604E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00940000	0_2_00940000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00960113	0_2_00960113
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009606BB	0_2_009606BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00960EC9	0_2_00960EC9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9F6CF	0_2_02F9F6CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9EEC1	0_2_02F9EEC1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9ECEC	0_2_02F9ECEC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9E919	0_2_02F9E919

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 2068

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000000.2099940661.0000000001263000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBattle.net-Setup.exeD vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameBattle.net-Setup.exeD vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.2334234419.0000000000976000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/7@2/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00940A8D CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,FindCloseChangeNotification,

0_2_00940A8D

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\BNR8DUDO.htm

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5316

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e44e4a1c-0572-4549-9da6-a8b01284fa9a

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: file.exe	String found in binary or memory: %lxLoadLibraryExA\/AddDllDirectoryserver response timeoutselect/poll errorcached response data too big to handleresponse reading failedExcessive server response line length received, %zd bytes. Stripping
Source: file.exe	String found in binary or memory: id-cmc-addExtensions
Source: file.exe	String found in binary or memory: set-addPolicy
Source: file.exe	String found in binary or memory: en Sie alle Battle.net-Installationsprogramme, warten Sie 30 Sekunden und versuchen Sie es erneut.
Source: file.exe	String found in binary or memory: en Sie alle Battle.net-Installationsprogramme, warten Sie 30 Sekunden und versuchen Sie es erneut.Ups! Sieht so aus, als ob etwas nicht mehr korrekt funktioniert. Fehlercode: {error_code}Ups! Sieht so aus, als ob etwas nicht mehr korrekt funktioniert: {message}
Source: file.exe	String found in binary or memory: battle.net-launcher.log
Source: file.exe	String found in binary or memory: battle.net-launcher
Source: file.exe	String found in binary or memory: @{%s}enUSBytesKilobytesMegabytesGigabytesTerabytes%.2finvalid unordered_map<K, T> keyd:\buildserver\bna-2\work-git\bootstrapper-repository\contrib\contrib\cajun\json\reader.inlm_itCurrent != m_Tokens.end()nullUnexpected character in stream: Expected string: Unrecognized escape sequence found in string: \0123456789.eE-+Unexpected end of token streamUnexpected token: Duplicate object member token: Unexpected character in NUMBER token: Unexpected End of token streamObject member already exists: expires_atbtsagentusfiledirectorymessageplatformwinconfigtagsallupdate_methoddistproduct=btsproduct=AgentSTATE_INVALID_PROGRESS_STATESTATE_CHECK_ENVIRONMENTSTATE_UPDATE_BOOTSTRAPPERSTATE_EXTRACT_AGENTSTATE_START_AGENTSTATE_CHECK_AGENTSTATE_UPDATE_AGENTSTATE_CHECK_CLIENTSTATE_UPDATE_CLIENTSTATE_LAUNCH_CLIENTSTATE_CHECK_UNREGISTERED_CLIENTSTATE_INSTALL_CLIENTSTATE_SELECT_LANGUAGESTATE_TRIGGER_RESTARTSTATE_EXITINGRESTART_RUN_SETUPRESTART_RUN_ORIGINALRESTART_ELEVATEanalytic] - launchersetupWe were launched by cmdver= and we are cmdver=, allowing self-patching to occurBootstrapper work completed. Shutting down.LogsFailed to check if another instance of bootstrapper is running. Shutting down...Another instance of bootstrapper is running. Shutting down...Checking permissions on path: depth=Elevation is unnecessary. The current user is an administrator.Permissions problem detected for path and elevation is required. path=Failed to repair file/folder permissions: path=Session hash generated. hash=Session hash extracted from process. hash=Checking for bootstrapper updates.We need to patch but are running from the patching location. Continuing without patching.We are currently up to date.Agent is missing. Will download Agent.The installed agent is older than the one remotely available. Will download Agent.Agent is currently up to date.Elevation required: Restarting to fix Image File Execution options.Agent is running as another user. We can't safely perform work with agent. Shutting down...An update is in progress. Transitioning to update state to track the update.Beta branch detected on client, setting to retail branchAlready updated client. Skipping updateBattle.netpatchBootstrapper thread startedA crash delay ws set via command line argument.Battle.net Setup started. Running from: Configuration: locale= region= uid=Running as adminEmbedded data found on command line: Embedded data found in binary: Session hash found: client_idAn error code is set via command line argument. Raising that error nowAn agent error code is set via command line argument. Raising that error nowBootstrapper thread completedEntering main loop.Bootstrapper State: Invalid transition to state: Restart triggered with reason: Failed to update agent. Continuing on.filenameHandling exception in state Exceeded maximum exception countException converted to: Bootstrapperbattle.net-setup.logbattle.net-launcher.logbattle.net-setupbattle.net-launcherPosting exception to controller: Failed to create Batt
Source: file.exe	String found in binary or memory: DBG-ADDR<{:x}>("{}")
Source: file.exe	String found in binary or memory: DBG-ADDR<
Source: file.exe	String found in binary or memory: : error %u: (%u)%s %s.%s Log-auto-attachmentDBG-ADDR<{:x}>("{}")DBG-OPTIONS<FunctionsOnly>
Source: file.exe	String found in binary or memory: WowError.exeAssertion FailureWowErrord.exeUnknown ErrorFatal Exception<unknown>ERROR #%u (0x%08x) %s %s%08X %08X %04X:%08X %s<can't read from this address>%08X: Exe:%02X %02X %02X %02X Time:%-10s%sUser:%-10s%3s %2d, %4d %2d:%02d:%02d.%03d %cMMemory DumpComputer:Stack: %d bytes starting at (ESP = %08X)Code: %d bytes starting at (EIP = %08X)<unknown symbol><unknown module>** SymGetLineFromAddr() failed, error: %d SymGetModuleInfo() failed, error: %d%08X %-12s %s+%d (0x%08X,0x%08X,0x%08X,0x%08X) (%s,%d) SymGetSymFromAddr() failed, error: %d%08X %-12s %s+%d (%s,%d)%08X %-12s %s+%d (0x%08X,0x%08X,0x%08X,0x%08X) StackWalk() returned FALSE, error: %d%08X %-12s %s+%dStack Trace (Using DBGHELP.DLL) StackWalk() returned zero address - skipping stack frameShowing %d/%d threads... Couldn't load DBGHELP.DLL, error: %d--- Thread ID: %d ------ Thread ID: %d [Current Thread] --- Unable to retrieve thread context, error: %d** Unable to gain access to the thread, error: Address Frame Logical addr ModuleStack Trace (Manual)%4.4x%2.2x%16.16lx%8.8xx86 Registers = %04xLoaded Modules%02x%08x>("DBG-ADDR<+")DBG-MODULE<%8x" "%04d-%02d-%02d %02d.%02d.%02d>dbghelp.dllBlizzard::DebugSymFunctionTableAccess64StackWalk64SymGetModuleBase64SymGetLineFromAddr64SymGetOptionsSymGetModuleInfo64SymInitializeSymGetSymFromAddr64SymSetOptionsSymCleanupSymEnumerateSymbols64SymEnumerateModules64EAXMiniDumpWriteDumpECXEBXESIEDXEBPEDIEIPESPCSFLGESDSGSFSDR0SSDR2DR1DR6DR3psapi.dllDR7GetModuleInformationEnumProcessModules<Application>{}
Source: file.exe	String found in binary or memory: /install
Source: file.exe	String found in binary or memory: J\|U-QtJ\|4,QExecuteUpdateCreateShortcutUninstall/updateresult_uri{"uid":"%s"}/installresponse_urirun64bit/gamesessionuninstall_complete%s/%sinstructions_productinstructions_patch_urlforminstructions_dataset{"uid":"%s","background_download": %s}{"paused": false}{"uid" : "%s","title" : "%s"}/createshortcut/backfill/version(M\|

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 2068

Source: C:\Users\user\Desktop\file.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Contains functionality to dynamically determine API calls

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 5158776 > 1048576

Source: file.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2cc000
Source: file.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x11e400

Source: file.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\BuildServer\bna-2\work-git\bootstrapper-repository\src\Release\Bootstrapper.pdbs source: file.exe
Source:	Binary string: D:\BuildServer\bna-2\work-git\bootstrapper-repository\src\Release\Bootstrapper.pdb source: file.exe

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F9A76B lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LoadLibraryA,GetProcAddress,GetProcAddress,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,OpenEventA,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,CreateEventA,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,CloseHandle,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,CloseHandle,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,ExitProcess,

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0xbe708 should be: 0x4f7dcb

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009636EF push ecx; ret		0_2_00963702
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02FA1EF5 push ecx; ret		0_2_02FA1F08

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F9B050 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_02F9B050

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_02F8C6B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_02F8D690
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F977D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F977D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F89FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F89FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9738D GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_02F9738D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F964C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	0_2_02F964C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_02F8BC98
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F81443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F81443
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8C039 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F8C039
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F8E016
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F96D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_02F96D7D

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F91F21 GetSystemInfo,wsprintfA,

0_2_02F91F21

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW$mK
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000002.2334293329.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareY
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: file.exe, 00000000.00000002.2334293329.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: file.exe, 00000000.00000002.2334293329.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp{
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02FA224F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_02FA224F

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094093D mov eax, dword ptr fs:[00000030h]	0_2_0094093D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094037D mov edx, dword ptr fs:[00000030h]	0_2_0094037D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0095C4ED mov eax, dword ptr fs:[00000030h]	0_2_0095C4ED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00940CED mov eax, dword ptr fs:[00000030h]	0_2_00940CED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00940F8C mov eax, dword ptr fs:[00000030h]	0_2_00940F8C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00940F8D mov eax, dword ptr fs:[00000030h]	0_2_00940F8D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9ACF3 mov eax, dword ptr fs:[00000030h]	0_2_02F9ACF3

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F91ADD GetProcessHeap,RtlAllocateHeap,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,

0_2_02F91ADD

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02FA224F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_02FA224F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02FA1C0B memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_02FA1C0B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02FA3DCD SetUnhandledExceptionFilter,	0_2_02FA3DCD

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 5316, type: MEMORYSTR

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F90A14 memset,memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

0_2_02F90A14

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F938BA CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,FindCloseChangeNotification,		0_2_02F938BA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F937BD CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_02F937BD

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009427FA cpuid

0_2_009427FA

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_02F91D31

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F3BFEC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F3BFEC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F91BEC GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_02F91BEC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F91CBF GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_02F91CBF

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2334293329.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.file.exe.9423fa.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.9423fa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5316, type: MEMORYSTR

Source: Yara match

File source: Process Memory Space: file.exe PID: 5316, type: MEMORYSTR

Remote Access Functionality

Antivirus detection for URL or domain

Source: Yara match	File source: 0.2.file.exe.9423fa.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.9423fa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5316, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
116.202.180.70	unknown	Germany		24940	HETZNER-ASDE	false
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	true

Contacted Domains

Name	IP	Active
t.me	149.154.167.99	true
198.187.3.20.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199730044335	true	Avira URL Cloud: malware	unknown
https://t.me/bu77un	true	Avira URL Cloud: malware	unknown

AV Detection

Source: https://steamcommunity.com/profiles/76561199730044335	Avira URL Cloud: Label: malware
Source: https://t.me/bu77un	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199730044335", "https://t.me/bu77un"], "Botnet": "d2e09041336e6342825973ff413879b9"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetProcAddress
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: LoadLibraryA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: lstrcatA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: OpenEventA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CreateEventA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CloseHandle
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Sleep
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: VirtualFree
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetSystemInfo
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: VirtualAlloc
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: HeapAlloc
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetComputerNameA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: lstrcpyA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetProcessHeap
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetCurrentProcess
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: lstrlenA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: ExitProcess
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetSystemTime
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: advapi32.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: gdi32.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: user32.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: crypt32.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: ntdll.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetUserNameA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CreateDCA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetDeviceCaps
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: ReleaseDC
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: sscanf
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: NtQueryInformationProcess
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: VMwareVMware
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: HAL9TH
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: JohnDoe
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: DISPLAY
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetFileAttributesA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GlobalLock
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: HeapFree
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetFileSize
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GlobalSize
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: IsWow64Process
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Process32Next
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetLocalTime
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: FreeLibrary
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Process32First
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: DeleteFileA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: FindNextFileA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: LocalFree
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: FindClose
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: LocalAlloc
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetFileSizeEx
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: ReadFile
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: SetFilePointer
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: WriteFile
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CreateFileA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: FindFirstFileA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CopyFileA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: VirtualProtect
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetLastError
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: lstrcpynA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GlobalFree
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GlobalAlloc
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: OpenProcess
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: TerminateProcess
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: gdiplus.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: ole32.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: bcrypt.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: wininet.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: shell32.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: psapi.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: SelectObject
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: BitBlt
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: DeleteObject
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GdiplusStartup
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GdiplusShutdown
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GdipDisposeImage
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GdipFree
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CoUninitialize
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CoInitialize
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CoCreateInstance
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: BCryptDecrypt
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: BCryptSetProperty
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetWindowRect
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetDesktopWindow
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetDC
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CloseWindow
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: wsprintfA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CharToOemW
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: wsprintfW
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: RegQueryValueExA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: RegCloseKey
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: RegEnumValueA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CryptUnprotectData
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: ShellExecuteExA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: InternetConnectA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: InternetCloseHandle
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: InternetOpenA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: HttpSendRequestA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: InternetReadFile
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: StrCmpCA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: StrStrA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: StrCmpCW
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: PathMatchSpecA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: RmStartSession
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: RmRegisterResources
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: RmGetList
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: RmEndSession
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: sqlite3_open
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: sqlite3_step
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: sqlite3_column_text
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: sqlite3_finalize
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: sqlite3_close
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: encrypted_key
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: PATH
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: NSS_Init
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: NSS_Shutdown
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: PK11_Authenticate
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: C:\ProgramData\
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Soft:
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: profile:
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Host:
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Login:
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Password:
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Opera
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: OperaGX
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Network
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Cookies
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: .txt
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: TRUE
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: FALSE
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Autofill
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: History
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Name:
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Month:
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Year:
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Card:
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Cookies
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Login Data
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Web Data
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: History
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: logins.json
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: formSubmitURL
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: usernameField
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: encryptedUsername
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: encryptedPassword
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: guid
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: cookies.sqlite
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: formhistory.sqlite
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: places.sqlite
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Plugins
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Local Extension Settings
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Sync Extension Settings
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: IndexedDB
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Opera Stable
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Opera GX Stable
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: CURRENT
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: chrome-extension_
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Local State
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: profiles.ini
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: chrome
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: opera
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: firefox
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Wallets
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: ProductName
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: ProcessorNameString
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: DisplayName
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: DisplayVersion
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: freebl3.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: mozglue.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: msvcp140.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: nss3.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: softokn3.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: vcruntime140.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: \Temp\
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: .exe
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: runas
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: open
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: /c start
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: %DESKTOP%
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: %APPDATA%
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: %USERPROFILE%
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: %RECENT%
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: *.lnk
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Files
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: \discord\
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: key_datas
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: map*
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Telegram
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: *.tox
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: *.ini
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Password
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: 00000001
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: 00000002
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: 00000003
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: 00000004
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Pidgin
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: \.purple\
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: accounts.xml
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: token:
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: SteamPath
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: \config\
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: ssfn*
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: config.vdf
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: loginusers.vdf
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: \Steam\
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: sqlite3.dll
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: browsers
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: done
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Soft
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: https
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: POST
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: HTTP/1.1
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: hwid
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: build
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: token
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: file_name
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: file
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: message
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.file.exe.9423fa.0.raw.unpack	String decryptor: screenshot.jpg

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F87E41 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_02F87E41
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8AB80 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	0_2_02F8AB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9302D CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_02F9302D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F87DC2 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_02F87DC2

Source: file.exe, 00000000.00000000.2099747111.00000000010CD000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_64b4a83a-d

C2 URLs / IPs found in malware configuration

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49707 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\BuildServer\bna-2\work-git\bootstrapper-repository\src\Release\Bootstrapper.pdbs source: file.exe
Source:	Binary string: D:\BuildServer\bna-2\work-git\bootstrapper-repository\src\Release\Bootstrapper.pdb source: file.exe

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_02F8C6B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_02F8D690
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F977D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F977D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F89FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F89FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9738D GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_02F9738D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F964C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	0_2_02F964C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_02F8BC98
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F81443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F81443
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8C039 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F8C039
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F8E016
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F96D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_02F96D7D

Networking

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199730044335
Source: Malware configuration extractor	URLs: https://t.me/bu77un

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49708 -> 116.202.180.70:5432

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /bu77un HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\file.exe

0_2_02F84AD5

Source: global traffic

HTTP traffic detected: GET /bu77un HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: file.exe	String found in binary or memory: http:///1.18.10.3141/Apps/Battle.net.agent.db
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: file.exe, 00000000.00000002.2334293329.00000000009F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: file.exe, 00000000.00000003.2227716018.000000000A074000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2227655043.000000000A06D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2227758478.000000000A07D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c5c6e24cd307b
Source: file.exe	String found in binary or memory: http://iir.blizzard.com:3724/submit/BNET_APP
Source: file.exe	String found in binary or memory: http://iir.blizzard.com:3724/submit/BNET_APPUnknown
Source: file.exe	String found in binary or memory: http://nydus.battle.net/App/%s/setup/error/%s
Source: file.exe	String found in binary or memory: http://nydus.battle.net/geoip
Source: file.exe	String found in binary or memory: http://nydus.battle.net/geoipX-Geoip-RegionX-Geoip-CountryUSCNSEASGGETd:
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe	String found in binary or memory: http://scripts.sil.org/OFL
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe	String found in binary or memory: http://www.google.com/get/noto/
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70/
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/1
Source: file.exe, 00000000.00000002.2339985934.000000000A06D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/2
Source: file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/T
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/Y/h
Source: file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/dows
Source: file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/ps;PATHEXT=.CO
Source: file.exe, 00000000.00000002.2336090672.00000000030B9000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/sqlt.dll
Source: file.exe, 00000000.00000002.2336090672.00000000030B9000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/sqlt.dll4
Source: file.exe, 00000000.00000002.2336090672.00000000030B9000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/sqlt.dllnamK.exe
Source: file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432/talV
Source: file.exe, 00000000.00000002.2336090672.0000000003148000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432Content-Disposition:
Source: file.exe, 00000000.00000002.2336090672.0000000003148000.00000004.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2336090672.0000000002FB0000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://116.202.180.70:5432rss.exe
Source: file.exe	String found in binary or memory: https://bitwarden.com
Source: file.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: file.exe	String found in binary or memory: https://nydus.battle.net/App/%s/setup/app
Source: file.exe	String found in binary or memory: https://nydus.battle.net/App/%s/setup/appSelected
Source: file.exe, file.exe, 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199730044335
Source: file.exe, 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199730044335hellosqlt.dllsqlite3.dll
Source: file.exe, 00000000.00000002.2334293329.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: file.exe, 00000000.00000002.2336090672.0000000002FC5000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://t.me/bu77un
Source: file.exe, 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/bu77unguf_hMozilla/5.0
Source: file.exe	String found in binary or memory: https://telemetry-in.battle.net/data
Source: file.exe	String found in binary or memory: https://telemetry-in.battlenet.com.cn/data
Source: file.exe	String found in binary or memory: https://telemetry-in.battlenet.com.cn/datahttps://telemetry-in.battle.net/data
Source: file.exe, 00000000.00000003.2210215100.0000000000A27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: file.exe	String found in binary or memory: https://www.openssl.org/docs/faq.html

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49707 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\file.exe

0_2_02F93160

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2334234419.0000000000976000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00977D3D NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00977D3D

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00977D3D	0_2_00977D3D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094037D	0_2_0094037D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009604E6	0_2_009604E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00940000	0_2_00940000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00960113	0_2_00960113
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009606BB	0_2_009606BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00960EC9	0_2_00960EC9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9F6CF	0_2_02F9F6CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9EEC1	0_2_02F9EEC1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9ECEC	0_2_02F9ECEC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9E919	0_2_02F9E919

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 2068

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000000.2099940661.0000000001263000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBattle.net-Setup.exeD vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameBattle.net-Setup.exeD vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.2334234419.0000000000976000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/7@2/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00940A8D CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,FindCloseChangeNotification,

0_2_00940A8D

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\BNR8DUDO.htm

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5316

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e44e4a1c-0572-4549-9da6-a8b01284fa9a

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: file.exe	String found in binary or memory: %lxLoadLibraryExA\/AddDllDirectoryserver response timeoutselect/poll errorcached response data too big to handleresponse reading failedExcessive server response line length received, %zd bytes. Stripping
Source: file.exe	String found in binary or memory: id-cmc-addExtensions
Source: file.exe	String found in binary or memory: set-addPolicy
Source: file.exe	String found in binary or memory: en Sie alle Battle.net-Installationsprogramme, warten Sie 30 Sekunden und versuchen Sie es erneut.
Source: file.exe	String found in binary or memory: en Sie alle Battle.net-Installationsprogramme, warten Sie 30 Sekunden und versuchen Sie es erneut.Ups! Sieht so aus, als ob etwas nicht mehr korrekt funktioniert. Fehlercode: {error_code}Ups! Sieht so aus, als ob etwas nicht mehr korrekt funktioniert: {message}
Source: file.exe	String found in binary or memory: battle.net-launcher.log
Source: file.exe	String found in binary or memory: battle.net-launcher
Source: file.exe	String found in binary or memory: @{%s}enUSBytesKilobytesMegabytesGigabytesTerabytes%.2finvalid unordered_map<K, T> keyd:\buildserver\bna-2\work-git\bootstrapper-repository\contrib\contrib\cajun\json\reader.inlm_itCurrent != m_Tokens.end()nullUnexpected character in stream: Expected string: Unrecognized escape sequence found in string: \0123456789.eE-+Unexpected end of token streamUnexpected token: Duplicate object member token: Unexpected character in NUMBER token: Unexpected End of token streamObject member already exists: expires_atbtsagentusfiledirectorymessageplatformwinconfigtagsallupdate_methoddistproduct=btsproduct=AgentSTATE_INVALID_PROGRESS_STATESTATE_CHECK_ENVIRONMENTSTATE_UPDATE_BOOTSTRAPPERSTATE_EXTRACT_AGENTSTATE_START_AGENTSTATE_CHECK_AGENTSTATE_UPDATE_AGENTSTATE_CHECK_CLIENTSTATE_UPDATE_CLIENTSTATE_LAUNCH_CLIENTSTATE_CHECK_UNREGISTERED_CLIENTSTATE_INSTALL_CLIENTSTATE_SELECT_LANGUAGESTATE_TRIGGER_RESTARTSTATE_EXITINGRESTART_RUN_SETUPRESTART_RUN_ORIGINALRESTART_ELEVATEanalytic] - launchersetupWe were launched by cmdver= and we are cmdver=, allowing self-patching to occurBootstrapper work completed. Shutting down.LogsFailed to check if another instance of bootstrapper is running. Shutting down...Another instance of bootstrapper is running. Shutting down...Checking permissions on path: depth=Elevation is unnecessary. The current user is an administrator.Permissions problem detected for path and elevation is required. path=Failed to repair file/folder permissions: path=Session hash generated. hash=Session hash extracted from process. hash=Checking for bootstrapper updates.We need to patch but are running from the patching location. Continuing without patching.We are currently up to date.Agent is missing. Will download Agent.The installed agent is older than the one remotely available. Will download Agent.Agent is currently up to date.Elevation required: Restarting to fix Image File Execution options.Agent is running as another user. We can't safely perform work with agent. Shutting down...An update is in progress. Transitioning to update state to track the update.Beta branch detected on client, setting to retail branchAlready updated client. Skipping updateBattle.netpatchBootstrapper thread startedA crash delay ws set via command line argument.Battle.net Setup started. Running from: Configuration: locale= region= uid=Running as adminEmbedded data found on command line: Embedded data found in binary: Session hash found: client_idAn error code is set via command line argument. Raising that error nowAn agent error code is set via command line argument. Raising that error nowBootstrapper thread completedEntering main loop.Bootstrapper State: Invalid transition to state: Restart triggered with reason: Failed to update agent. Continuing on.filenameHandling exception in state Exceeded maximum exception countException converted to: Bootstrapperbattle.net-setup.logbattle.net-launcher.logbattle.net-setupbattle.net-launcherPosting exception to controller: Failed to create Batt
Source: file.exe	String found in binary or memory: DBG-ADDR<{:x}>("{}")
Source: file.exe	String found in binary or memory: DBG-ADDR<
Source: file.exe	String found in binary or memory: : error %u: (%u)%s %s.%s Log-auto-attachmentDBG-ADDR<{:x}>("{}")DBG-OPTIONS<FunctionsOnly>
Source: file.exe	String found in binary or memory: WowError.exeAssertion FailureWowErrord.exeUnknown ErrorFatal Exception<unknown>ERROR #%u (0x%08x) %s %s%08X %08X %04X:%08X %s<can't read from this address>%08X: Exe:%02X %02X %02X %02X Time:%-10s%sUser:%-10s%3s %2d, %4d %2d:%02d:%02d.%03d %cMMemory DumpComputer:Stack: %d bytes starting at (ESP = %08X)Code: %d bytes starting at (EIP = %08X)<unknown symbol><unknown module>** SymGetLineFromAddr() failed, error: %d SymGetModuleInfo() failed, error: %d%08X %-12s %s+%d (0x%08X,0x%08X,0x%08X,0x%08X) (%s,%d) SymGetSymFromAddr() failed, error: %d%08X %-12s %s+%d (%s,%d)%08X %-12s %s+%d (0x%08X,0x%08X,0x%08X,0x%08X) StackWalk() returned FALSE, error: %d%08X %-12s %s+%dStack Trace (Using DBGHELP.DLL) StackWalk() returned zero address - skipping stack frameShowing %d/%d threads... Couldn't load DBGHELP.DLL, error: %d--- Thread ID: %d ------ Thread ID: %d [Current Thread] --- Unable to retrieve thread context, error: %d** Unable to gain access to the thread, error: Address Frame Logical addr ModuleStack Trace (Manual)%4.4x%2.2x%16.16lx%8.8xx86 Registers = %04xLoaded Modules%02x%08x>("DBG-ADDR<+")DBG-MODULE<%8x" "%04d-%02d-%02d %02d.%02d.%02d>dbghelp.dllBlizzard::DebugSymFunctionTableAccess64StackWalk64SymGetModuleBase64SymGetLineFromAddr64SymGetOptionsSymGetModuleInfo64SymInitializeSymGetSymFromAddr64SymSetOptionsSymCleanupSymEnumerateSymbols64SymEnumerateModules64EAXMiniDumpWriteDumpECXEBXESIEDXEBPEDIEIPESPCSFLGESDSGSFSDR0SSDR2DR1DR6DR3psapi.dllDR7GetModuleInformationEnumProcessModules<Application>{}
Source: file.exe	String found in binary or memory: /install
Source: file.exe	String found in binary or memory: J\|U-QtJ\|4,QExecuteUpdateCreateShortcutUninstall/updateresult_uri{"uid":"%s"}/installresponse_urirun64bit/gamesessionuninstall_complete%s/%sinstructions_productinstructions_patch_urlforminstructions_dataset{"uid":"%s","background_download": %s}{"paused": false}{"uid" : "%s","title" : "%s"}/createshortcut/backfill/version(M\|

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 2068

Source: C:\Users\user\Desktop\file.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Contains functionality to dynamically determine API calls

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 5158776 > 1048576

Source: file.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2cc000
Source: file.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x11e400

Source: file.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\BuildServer\bna-2\work-git\bootstrapper-repository\src\Release\Bootstrapper.pdbs source: file.exe
Source:	Binary string: D:\BuildServer\bna-2\work-git\bootstrapper-repository\src\Release\Bootstrapper.pdb source: file.exe

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0xbe708 should be: 0x4f7dcb

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009636EF push ecx; ret		0_2_00963702
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02FA1EF5 push ecx; ret		0_2_02FA1F08

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_02F9B050

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_02F8C6B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_02F8D690
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F977D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F977D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F89FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F89FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9738D GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_02F9738D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F964C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	0_2_02F964C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_02F8BC98
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F81443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F81443
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8C039 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F8C039
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F8E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02F8E016
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F96D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_02F96D7D

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F91F21 GetSystemInfo,wsprintfA,

0_2_02F91F21

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000002.2334293329.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW$mK
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000002.2334293329.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareY
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: file.exe, 00000000.00000002.2334293329.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: file.exe, 00000000.00000002.2334293329.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp{
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02FA224F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_02FA224F

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094093D mov eax, dword ptr fs:[00000030h]	0_2_0094093D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094037D mov edx, dword ptr fs:[00000030h]	0_2_0094037D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0095C4ED mov eax, dword ptr fs:[00000030h]	0_2_0095C4ED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00940CED mov eax, dword ptr fs:[00000030h]	0_2_00940CED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00940F8C mov eax, dword ptr fs:[00000030h]	0_2_00940F8C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00940F8D mov eax, dword ptr fs:[00000030h]	0_2_00940F8D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9ACF3 mov eax, dword ptr fs:[00000030h]	0_2_02F9ACF3

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F91ADD GetProcessHeap,RtlAllocateHeap,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,

0_2_02F91ADD

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02FA224F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_02FA224F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02FA1C0B memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_02FA1C0B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02FA3DCD SetUnhandledExceptionFilter,	0_2_02FA3DCD

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 5316, type: MEMORYSTR

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

0_2_02F90A14

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F938BA CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,FindCloseChangeNotification,		0_2_02F938BA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F937BD CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_02F937BD

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009427FA cpuid

0_2_009427FA

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_02F91D31

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F3BFEC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F3BFEC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F91BEC GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_02F91BEC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02F91CBF GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_02F91CBF

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: file.exe, 00000000.00000002.2340419499.000000000A43E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2334293329.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.file.exe.9423fa.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.9423fa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2336053531.0000000002FA5000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2335861856.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2334234419.0000000000940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5316, type: MEMORYSTR

Source: Yara match

File source: Process Memory Space: file.exe PID: 5316, type: MEMORYSTR

Remote Access Functionality