Windows Analysis Report
nyen2eabmfb.exe

AI detected suspicious sample

Source: Yara match	File source: 1.2.Insidious_protected.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: freegeoip.app

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

Unpacked PE file: 1.2.Insidious_protected.exe.940000.0.unpack

Source: nyen2eabmfb.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49743 version: TLS 1.2

Source:	Binary string: FC:\Windows\symbols\dll\mscorlib.pdb4.0.30319\diasymreader.dllllFiles source: Insidious_protected.exe, 00000001.00000002.1859218842.00000000013CD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: diasymreader.dllib.pdbpdbktx source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: \|C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll_b77a5c561934e089\mscorlib.pdb source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbd source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: .C:\Windows\mscorlib.pdbpdb0.? source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdbL}s source: Insidious_protected.exe, 00000001.00000002.1859218842.00000000013CD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: c:\windows\microsoft.net\assembly\gac_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbv source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: .C:\Windows\mscorlib.pdbpdbY source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .c:\windows\mscorlib.pdbpdbVS source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Fc:\windows\symbols\dll\mscorlib.pdbC_ source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001383000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb0 source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: Insidious_protected.exe, 00000001.00000002.1860627199.0000000003D49000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1859218842.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, WER33B7.tmp.dmp.4.dr
Source:	Binary string: \Stealler\44CALIBER-main\44CALIBER\obj\Debug\Insidious.pdb source: Insidious_protected.exe, Insidious_protected.exe, 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: .C:\Windows\mscorlib.pdbpdbe source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdbP source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb source: nyen2eabmfb.exe
Source:	Binary string: System.ni.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: Fc:\windows\symbols\dll\mscorlib.pdbC_) source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001383000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_0040481A FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_0040481A
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_00409237 SendDlgItemMessageW,DestroyIcon,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SHGetFileInfoW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00409237

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 4x nop then jmp 031336BAh	1_2_0313351D
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 4x nop then jmp 03137DA4h	1_2_03137B21
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 4x nop then jmp 03132CB4h	1_2_03132BA8
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 4x nop then inc dword ptr [ebp-30h]	1_2_0313F288
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 4x nop then inc dword ptr [ebp-30h]	1_2_03136560
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 4x nop then inc dword ptr [ebp-24h]	1_2_03138CE0

Networking

Yara detected Generic Downloader

Source: Yara match

File source: 1.2.Insidious_protected.exe.940000.0.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: freegeoip.app

Source: Insidious_protected.exe, 00000001.00000002.1860627199.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://freegeoip.app
Source: Insidious_protected.exe, 00000001.00000002.1860627199.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://freegeoip.appd
Source: Insidious_protected.exe, 00000001.00000002.1860627199.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: Insidious_protected.exe, 00000001.00000002.1858330946.0000000000994000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.enigmaprotector.com/
Source: Insidious_protected.exe, 00000001.00000002.1858330946.0000000000994000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.enigmaprotector.com/openU
Source: Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Insidious_protected.exe, Insidious_protected.exe, 00000001.00000002.1860627199.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.vimeworld.ru/user/name/
Source: Insidious_protected.exe, 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/
Source: Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Insidious_protected.exe, Insidious_protected.exe, 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1274462328603148298/RG8TQ5NOTPK7lllW9DXds8Z7Vj68QWZX7Duc-LfDNeqa_Ho
Source: Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Insidious_protected.exe, 00000001.00000002.1860627199.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1860627199.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app
Source: Insidious_protected.exe, Insidious_protected.exe, 00000001.00000002.1860627199.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: Insidious_protected.exe	String found in binary or memory: https://steamcommunity.com/profiles/
Source: Insidious_protected.exe, 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/ASOFTWARE
Source: tmp3155.tmp.tmpdb.1.dr	String found in binary or memory: https://support.mozilla.org
Source: tmp3155.tmp.tmpdb.1.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp3155.tmp.tmpdb.1.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmp3155.tmp.tmpdb.1.dr	String found in binary or memory: https://www.mozilla.org
Source: tmp3155.tmp.tmpdb.1.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: tmp3155.tmp.tmpdb.1.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Insidious_protected.exe, 00000001.00000002.1861456782.0000000004D35000.00000004.00000800.00020000.00000000.sdmp, tmp3155.tmp.tmpdb.1.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp3155.tmp.tmpdb.1.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Insidious_protected.exe, 00000001.00000002.1861456782.0000000004D35000.00000004.00000800.00020000.00000000.sdmp, tmp3155.tmp.tmpdb.1.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49743 version: TLS 1.2

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 1.2.Insidious_protected.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

System Summary

Source: 1.2.Insidious_protected.exe.940000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 1.2.Insidious_protected.exe.940000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 1.2.Insidious_protected.exe.940000.0.unpack, type: UNPACKEDPE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 00000001.00000002.1860627199.0000000003D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: Insidious_protected.exe PID: 6360, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

PE file has nameless sections

Source: Insidious_protected.exe.0.dr	Static PE information: section name:
Source: Insidious_protected.exe.0.dr	Static PE information: section name:
Source: Insidious_protected.exe.0.dr	Static PE information: section name:
Source: Insidious_protected.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_00402267	0_2_00402267
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_00405599	0_2_00405599
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_0040F040	0_2_0040F040
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_0040F820	0_2_0040F820
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_004050C2	0_2_004050C2
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_0041A9F2	0_2_0041A9F2
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_0041C9B1	0_2_0041C9B1
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_0040EB6B	0_2_0040EB6B
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_0041BB72	0_2_0041BB72
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_004013EE	0_2_004013EE
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_0040FC40	0_2_0040FC40
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_0041B47A	0_2_0041B47A
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_0040F414	0_2_0040F414
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_004114D1	0_2_004114D1
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_0041AF36	0_2_0041AF36
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_03135330	1_2_03135330
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_0313A0D0	1_2_0313A0D0
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_0313C738	1_2_0313C738
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_0313EA81	1_2_0313EA81
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_031399E8	1_2_031399E8
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_0313F279	1_2_0313F279
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_0313F288	1_2_0313F288
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_0313C728	1_2_0313C728
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_03136550	1_2_03136550
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_03136560	1_2_03136560
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_031399DF	1_2_031399DF
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_03138888	1_2_03138888
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_03138CE0	1_2_03138CE0
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_05E20040	1_2_05E20040
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_05E20007	1_2_05E20007

Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: String function: 0040D7F0 appears 39 times
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: String function: 00411A98 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: String function: 00998264 appears 46 times

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6360 -s 1608

Source: nyen2eabmfb.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.Insidious_protected.exe.940000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 1.2.Insidious_protected.exe.940000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 1.2.Insidious_protected.exe.940000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 00000001.00000002.1860627199.0000000003D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: Insidious_protected.exe PID: 6360, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: Insidious_protected.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9968701972336066
Source: Insidious_protected.exe.0.dr	Static PE information: Section: dhnhbfg ZLIB complexity 0.9962756849315069

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/15@1/1

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

Code function: 0_2_0040D027 ShowWindow,GetWindowRect,GetParent,GetParent,MapWindowPoints,DestroyWindow,CoCreateInstance,GetParent,CreateWindowExW,ShowWindow,SetWindowTextW,ShowWindow,UpdateWindow,

0_2_0040D027

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

File created: C:\Users\user\AppData\Roaming\44

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6360
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Mutant created: NULL

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6631187

Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Command line argument: sfxcmd	0_2_0040B0CF
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Command line argument: sfxcmd	0_2_0040B0CF
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Command line argument: sfxname	0_2_0040B0CF
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Command line argument: STARTDLG	0_2_0040B0CF
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Command line argument: %C	0_2_0040B0CF
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Command line argument: @vA	0_2_00417590

Source: nyen2eabmfb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

File read: C:\Windows\win.ini

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Insidious_protected.exe, 00000001.00000002.1860627199.0000000003DB1000.00000004.00000800.00020000.00000000.sdmp, tmp31A5.tmp.dat.1.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: nyen2eabmfb.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

File read: C:\Users\user\Desktop\nyen2eabmfb.exe

Source: unknown	Process created: C:\Users\user\Desktop\nyen2eabmfb.exe "C:\Users\user\Desktop\nyen2eabmfb.exe"
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Process created: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe "C:\Users\user\AppData\Local\Temp\Insidious_protected.exe"
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6360 -s 1608
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Process created: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe "C:\Users\user\AppData\Local\Temp\Insidious_protected.exe"	Jump to behavior

Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Detected unpacking (changes PE section rights)

Source: nyen2eabmfb.exe

Static file information: File size 1392189 > 1048576

Source: nyen2eabmfb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: FC:\Windows\symbols\dll\mscorlib.pdb4.0.30319\diasymreader.dllllFiles source: Insidious_protected.exe, 00000001.00000002.1859218842.00000000013CD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: diasymreader.dllib.pdbpdbktx source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: \|C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll_b77a5c561934e089\mscorlib.pdb source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbd source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: .C:\Windows\mscorlib.pdbpdb0.? source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdbL}s source: Insidious_protected.exe, 00000001.00000002.1859218842.00000000013CD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: c:\windows\microsoft.net\assembly\gac_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbv source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: .C:\Windows\mscorlib.pdbpdbY source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .c:\windows\mscorlib.pdbpdbVS source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Fc:\windows\symbols\dll\mscorlib.pdbC_ source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001383000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb0 source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: Insidious_protected.exe, 00000001.00000002.1860627199.0000000003D49000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1859218842.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, WER33B7.tmp.dmp.4.dr
Source:	Binary string: \Stealler\44CALIBER-main\44CALIBER\obj\Debug\Insidious.pdb source: Insidious_protected.exe, Insidious_protected.exe, 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: .C:\Windows\mscorlib.pdbpdbe source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdbP source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb source: nyen2eabmfb.exe
Source:	Binary string: System.ni.pdb source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER33B7.tmp.dmp.4.dr
Source:	Binary string: Fc:\windows\symbols\dll\mscorlib.pdbC_) source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001383000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

Unpacked PE file: 1.2.Insidious_protected.exe.940000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;dhnhbfg:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;dhnhbfg:ER;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

Unpacked PE file: 1.2.Insidious_protected.exe.940000.0.unpack

Source: Insidious_protected.exe.0.dr

Static PE information: 0x90591ACE [Fri Sep 28 14:44:30 2046 UTC]

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

Code function: 0_2_004082C8 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004082C8

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6631187

Source: Insidious_protected.exe.0.dr	Static PE information: section name:
Source: Insidious_protected.exe.0.dr	Static PE information: section name:
Source: Insidious_protected.exe.0.dr	Static PE information: section name:
Source: Insidious_protected.exe.0.dr	Static PE information: section name:
Source: Insidious_protected.exe.0.dr	Static PE information: section name: dhnhbfg

Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_00411ADD push ecx; ret	0_2_00411AF0
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_0040DC90 push eax; ret	0_2_0040DCAE
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_009AD3A0 push 009AD400h; ret	1_2_009AD3F8
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_0099C3EA push 0099C418h; ret	1_2_0099C410
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_0099C494 push 0099C4C0h; ret	1_2_0099C4B8
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_0099C4F8 push 0099C52Ch; ret	1_2_0099C524
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_0099C424 push 0099C450h; ret	1_2_0099C448
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_0099C45C push 0099C488h; ret	1_2_0099C480
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_009AD456 push 009AD5A4h; ret	1_2_009AD59C
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_009AE454 push 009AE4A1h; ret	1_2_009AE499
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_0099A5F0 push 0099A641h; ret	1_2_0099A639
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_009A453E push 009A46D8h; ret	1_2_009A46D0
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_009AC536 push 009AC5B5h; ret	1_2_009AC5AD
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_009AD684 push ecx; mov dword ptr [esp], ecx	1_2_009AD687
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_009AB6A4 push 009AB74Ch; ret	1_2_009AB744
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_009A46DA push 009A474Bh; ret	1_2_009A4743
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_009AB62C push 009AB6A2h; ret	1_2_009AB69A
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_009AB74E push 009AB79Ch; ret	1_2_009AB794
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_0099A8AA push 0099A8D8h; ret	1_2_0099A8D0
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_009AD8F4 push ecx; mov dword ptr [esp], ecx	1_2_009AD8F6
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_009AC804 push 009AC830h; ret	1_2_009AC828
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_009A485E push 009A488Ch; ret	1_2_009A4884
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_0099A968 push 0099A994h; ret	1_2_0099A98C
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_0099BA48 push ecx; mov dword ptr [esp], eax	1_2_0099BA49
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_0099BCF2 push 0099BD20h; ret	1_2_0099BD18
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_009B7D94 push ecx; mov dword ptr [esp], edx	1_2_009B7D96
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_0099BD2C push 0099BD58h; ret	1_2_0099BD50
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_009A3D60 push ecx; mov dword ptr [esp], edx	1_2_009A3D65
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Code function: 1_2_00996F90 push eax; ret	1_2_00996FCC

Source: Insidious_protected.exe.0.dr	Static PE information: section name: entropy: 7.996321345870958
Source: Insidious_protected.exe.0.dr	Static PE information: section name: dhnhbfg entropy: 7.978903931994907

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

File created: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

Jump to dropped file

Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Memory allocated: 30F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Memory allocated: 3C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Memory allocated: 32E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

Window / User API: threadDelayed 608

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-15325

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe TID: 6312	Thread sleep count: 608 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe TID: 1892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe TID: 1892	Thread sleep time: -600000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_0040481A FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_0040481A
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_00409237 SendDlgItemMessageW,DestroyIcon,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SHGetFileInfoW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00409237

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Insidious_protected.exe, 00000001.00000002.1858330946.0000000000994000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: &VBoxService.exe
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Insidious_protected.exe, 00000001.00000002.1859218842.0000000001437000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Insidious_protected.exe, 00000001.00000002.1858330946.0000000000994000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: VBoxService.exe
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Insidious_protected.exe, Insidious_protected.exe, 00000001.00000002.1858330946.0000000000ADA000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Insidious_protected.exe, Insidious_protected.exe, 00000001.00000002.1858330946.0000000000ADA000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: Insidious_protected.exe, 00000001.00000002.1858330946.0000000000994000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: VMWare
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: nyen2eabmfb.exe, 00000000.00000002.1662290345.000000000051B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: Insidious_protected.exe, 00000001.00000002.1858330946.0000000000ADA000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

API call chain: ExitProcess graph end node

graph_0-15327

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

Process information queried: ProcessInformation

Hides threads from debuggers

Anti Debugging

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

Open window title or class name: ollydbg

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	File opened: SIWDEBUG
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	File opened: SICE

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

Code function: 1_2_0313E018 LdrInitializeThunk,

1_2_0313E018

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

Code function: 0_2_00412945 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00412945

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

Code function: 0_2_004082C8 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004082C8

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_00412945 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00412945
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_0041324B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041324B
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_004177EB __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	0_2_004177EB
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: 0_2_004167F8 SetUnhandledExceptionFilter,	0_2_004167F8

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

Process created: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe "C:\Users\user\AppData\Local\Temp\Insidious_protected.exe"

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

Code function: 0_2_0040B681 cpuid

0_2_0040B681

Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		0_2_004084E4
Source: C:\Users\user\Desktop\nyen2eabmfb.exe	Code function: GetLocaleInfoA,		0_2_00419600

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe VolumeInformation

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

Code function: 0_2_0041081F GetSystemTimeAsFileTime,

0_2_0041081F

Source: C:\Users\user\Desktop\nyen2eabmfb.exe

Code function: 0_2_00405D56 GetVersionExW,

0_2_00405D56

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Yara detected 44Caliber Stealer

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Source: Yara match	File source: 1.2.Insidious_protected.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Insidious_protected.exe PID: 6360, type: MEMORYSTR

Yara detected Rags Stealer

Source: Yara match	File source: 1.2.Insidious_protected.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Source: Yara match	File source: 1.2.Insidious_protected.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1860627199.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Insidious_protected.exe PID: 6360, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Insidious_protected.exe	String found in binary or memory: Electrum
Source: Insidious_protected.exe, 00000001.00000002.1860627199.0000000003D49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: Insidious_protected.exe	String found in binary or memory: \com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: Insidious_protected.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: Insidious_protected.exe	String found in binary or memory: \Ethereum\keystore
Source: Insidious_protected.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: Insidious_protected.exe	String found in binary or memory: Ethereum
Source: Insidious_protected.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: Insidious_protected.exe	String found in binary or memory: \Ethereum\keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior

Source: Yara match	File source: 1.2.Insidious_protected.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1860627199.0000000003CCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Insidious_protected.exe PID: 6360, type: MEMORYSTR

Remote Access Functionality

Yara detected 44Caliber Stealer

Source: Yara match	File source: 1.2.Insidious_protected.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Insidious_protected.exe PID: 6360, type: MEMORYSTR

Yara detected Rags Stealer

Source: Yara match	File source: 1.2.Insidious_protected.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Source: Yara match	File source: 1.2.Insidious_protected.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1860627199.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Insidious_protected.exe PID: 6360, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	3 Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	251 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	251 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	23 Software Packing	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
nyen2eabmfb.exe	53%	ReversingLabs	Win32.Trojan.ProtectorEnigma

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	100%	Avira	HEUR/AGEN.1351863
C:\Users\user\AppData\Local\Temp\Insidious_protected.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://support.mozilla.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://steamcommunity.com/profiles/ASOFTWARE	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://discord.com/api/webhooks/1274462328603148298/RG8TQ5NOTPK7lllW9DXds8Z7Vj68QWZX7Duc-LfDNeqa_Ho	0%	Avira URL Cloud	safe
http://freegeoip.appd	0%	Avira URL Cloud	safe
http://www.enigmaprotector.com/openU	0%	Avira URL Cloud	safe
https://freegeoip.app	0%	Avira URL Cloud	safe
https://freegeoip.app/xml/	0%	Avira URL Cloud	safe
https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/	0%	Avira URL Cloud	safe
http://www.enigmaprotector.com/	0%	Avira URL Cloud	safe
https://api.vimeworld.ru/user/name/	0%	Avira URL Cloud	safe
http://freegeoip.app	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
freegeoip.app	188.114.97.3	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://freegeoip.app/xml/	Insidious_protected.exe, Insidious_protected.exe, 00000001.00000002.1860627199.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	tmp3155.tmp.tmpdb.1.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/ASOFTWARE	Insidious_protected.exe, 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
http://www.enigmaprotector.com/openU	Insidious_protected.exe, 00000001.00000002.1858330946.0000000000994000.00000040.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
https://freegeoip.app	Insidious_protected.exe, 00000001.00000002.1860627199.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1860627199.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://freegeoip.appd	Insidious_protected.exe, 00000001.00000002.1860627199.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmp3155.tmp.tmpdb.1.dr	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	false	URL Reputation: safe	unknown
https://discord.com/api/webhooks/1274462328603148298/RG8TQ5NOTPK7lllW9DXds8Z7Vj68QWZX7Duc-LfDNeqa_Ho	Insidious_protected.exe, Insidious_protected.exe, 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp	true	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/	Insidious_protected.exe	false	Avira URL Cloud: safe	unknown
https://api.vimeworld.ru/user/name/	Insidious_protected.exe, Insidious_protected.exe, 00000001.00000002.1860627199.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/	Insidious_protected.exe, 00000001.00000002.1858288089.0000000000942000.00000040.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	tmp3155.tmp.tmpdb.1.dr	false	URL Reputation: safe	unknown
http://www.enigmaprotector.com/	Insidious_protected.exe, 00000001.00000002.1858330946.0000000000994000.00000040.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Insidious_protected.exe, 00000001.00000002.1860627199.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000001.00000002.1861456782.0000000004CDB000.00000004.00000800.00020000.00000000.sdmp, tmp3156.tmp.dat.1.dr, tmp31D5.tmp.dat.1.dr	false	URL Reputation: safe	unknown
http://freegeoip.app	Insidious_protected.exe, 00000001.00000002.1860627199.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	freegeoip.app	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1495141
Start date and time:	2024-08-19 18:41:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nyen2eabmfb.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/15@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 63% Number of executed functions: 138 Number of non-executed functions: 66
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: nyen2eabmfb.exe

Simulations

Behavior and APIs

Time	Type	Description
12:42:16	API Interceptor	1x Sleep call for process: WerFault.exe modified
12:42:16	API Interceptor	1x Sleep call for process: Insidious_protected.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	htxERaJl1W.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	826430cl.nyashtop.top/_httpGeoprocessorApiServercentral.php
	http://te.nhrnick.com/	Get hash	malicious	Unknown	Browse	te.nhrnick.com/
	S#U0435tup.exe	Get hash	malicious	Cryptbot	Browse	neintyy19sb.top/v1/upload.php
	Official Salary for the Month of August 2024 - NU1622662404290592.exe	Get hash	malicious	FormBook	Browse	www.eraplay88rtpgacor.lat/pt46/?Cj90E=2U5FQK94ZXdB/CZGbEmAqiVYM6OiqGkb5XXzbZC/PxdEk7+YTa81A9JVSB2t8XsQKzff&GVWh=CdT0vvb
	FedEx Shipping Document.exe	Get hash	malicious	Azorult	Browse	l0h5.shop/CM341/index.php
	http://binanceevn.com/index/index/lang/ko-kr/Trade/tradelist	Get hash	malicious	Unknown	Browse	binanceevn.com/Verify/code
	rfq_commercial_order_GMlist_for_Drumedis_tender_august_quater_2024.xls	Get hash	malicious	Unknown	Browse	jiourl.com/anbdld
	rfq_commercial_order_GMlist_for_Drumedis_tender_august_quater_2024.xls	Get hash	malicious	Unknown	Browse	jiourl.com/anbdld
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/qLW2DYuh/download
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/jSVzi5ju/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
freegeoip.app	Cheat.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.97.3
	B5U2ccQ8H1.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	188.114.97.3
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	188.114.96.3
	Pots.exe	Get hash	malicious	44userber Stealer, Rags Stealer	Browse	104.21.73.97
	qdHMT36Tn9.exe	Get hash	malicious	44Caliber Stealer, Njrat, Rags Stealer	Browse	172.67.160.84
	64drop.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	104.21.73.97
	123.scr.exe	Get hash	malicious	Unknown	Browse	104.21.73.97
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	104.21.73.97
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	172.67.160.84
	RP.sfx.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	172.67.160.84

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://klo.ua/wp-admin/ivwaj.php?7-797967704b5369323074665053797a4c54453873535532714c456c4e3153736f7974635071437a4f31776341-EMAILBASE64	Get hash	malicious	Phisher	Browse	104.18.95.41
	file.exe	Get hash	malicious	LummaC	Browse	104.21.42.119
	https://na4.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAAgtmudCdipeGj991qUjM8egV6814sux3rgVxmpQ9ZUPP1ghEiBFZhGbeUOXRNN8jh0-dHyQbAhKeqZWA47C7EGYTdl0WfoRVsVtug9eoPZA7XQynIL6EntGVhDjys02My&	Get hash	malicious	HTMLPhisher	Browse	104.18.69.40
	0calendarscope.exe	Get hash	malicious	LummaC, Go Injector	Browse	104.21.16.74
	401(k) Form - 2024-Benefits_Payroll Increment forms August 19, 2024 Ref_ DZQYC08093.eml	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	1.1.1.1
	0calendarscope.exe	Get hash	malicious	LummaC, Go Injector	Browse	104.21.16.74
	http://www.schoolsfirstfcu.org/	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	Update_2762895.msix	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	http://c.edenroccapcana.com/ls/click?upn=u001.Jn-2B86bq4-2BTiJxHNPPwPcYCI8kgIN5SgMVsh0PZASy68e8PfiJNNBWJDO0OTi4LanfpEM_4RP1x9IUOIErTvm2WxWl5Z4QOHYAHyqip8YZp5LnDUq2XDbdNfDjy6diHckdYWR8GC1dEEt7xSdN8AAjvxAX2Bm9o-2BOkQ2n6vZOgy-2B7FKI4GOiHXXq8x6jV9zcNhH5gjJkame8F7fM8Aqevcoon0XajMkJnRoEdr1XdadG6lGda9bAu8ypNWj-2BXlZOL364sErAfQKFUCI6icKnDJkCM54G94kCNmgYcjJ7O7XN3WE3weWshg7ndjzA8pRwkZSgtorZoyVU7pbJLbMJ36n12VHu-2FgCePJ7biPYlS-2BsyRSspvir83-2Fpis9txF5QaNsJ7OisIkCkf6AWDh8PO4T0qZfOmwoP9C4TdIL05Ei8E-2FqIGHXGLznTIjK94robfUyV9-2FcjnZw6p9hZrt-2BqFayVCySKDkBfWYI04HVWV9dTuhiGDP9IUsM7xHpc7XINVq2oAdWrED6q9PJEi-2FQCsB1V-2Bp7VA-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.26.1.107
	http://c.edenroccapcana.com/ls/click?upn=u001.Jn-2B86bq4-2BTiJxHNPPwPcYGWsrseFjolhLrLWEGRlN2-2FMC1N1jDjAZCygaCkRyU1YUF5r-2FhbwgKOSprD14EFnk88tw-2FM4MudP4BP140Mg00Fc-2FfqHsZF-2FTwXztM9i7TyFduRBYEWtw5JKf2C58aaNTD7FsAVLxZvei2RKy6KJ0zk-3DQJJC_4RP1x9IUOIErTvm2WxWl5Z4QOHYAHyqip8YZp5LnDUq2XDbdNfDjy6diHckdYWR8GC1dEEt7xSdN8AAjvxAX2Bm9o-2BOkQ2n6vZOgy-2B7FKI4GOiHXXq8x6jV9zcNhH5gjJkame8F7fM8Aqevcoon0XajMkJnRoEdr1XdadG6lGda9bAu8ypNWj-2BXlZOL364sErAfQKFUCI6icKnDJkCM54G94kCNmgYcjJ7O7XN3WE3weWshg7ndjzA8pRwkZSgtorZoyVU7pbJLbMJ36n12VHtDByzGxfAPgCMtZ1VHOcvogFdRBZCOK4lQSeo1AoxQ0LzWDeDO74xbO3bEd-2FsqceilgTJc44gYSbRuJxM6QlrkTAxELXq4552N1PSxMFukSLx2PPLbRk8xExJzj-2BstsRDZ5Y9I4enWVAocJjkNEZ5xkY5LeZJsKwhZOXYSpHHYfWrqzgRdVS05JEg2QikjQyw-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.19.153.19

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://procore-drive.s3.amazonaws.com/ProcoreDriveSetup.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://shared.outlook.inky.com/link?domain=urldefense.proofpoint.com&t=h.eJxVUE2PmzAU_CsrDpxK-AazEuqyS5JqE9Jmg9IoF8sYQ0jABtvANlX_eyGHSr08vfdmNKOZ30rPa-X5SblI2YpnXZ_OnBSECrJoOWNFyyoqF5g1-mDN4Nc-fFA1O4KwRFT2dJq3nuLqhjh5UCEcW82KK4rrPicCtqxhMJtYAjYVJVDNw3hMVtGo4pD067OQGKVxXQ9Vs9yBzL-e-Nh9L7TBjeBb3pb0WFRVkqg8fIXd7u7ffby-lqdsKIVxMQ7yLfnx06k3JzJoxLu6EBvQitQmBGP3vi9cfgCb66cZO4BdtpvOWtXYGjbgWwnPbZWIAzp3MoW_Rin2BMS7Na8OOydFGVNFCCInhbL-vBDf-xg-_KPdrtDyCMHyvt5v35k2bFPZs9fs7KgkVL48Kbe5TUok42Uhfd-37CDQy4JP8QvG5cu_DdFcMCoe3XrIJ7nrBHaW2aZrmJ4BDDezPexlhmvngW5OOi5wbDdYmLMLebigehJgL-guCUZNM0vNYD6D_z3__AXAcKQ4.MEUCIB-PNKp_9-d3drOD5owphdjbOwtYz5OQxdgeN5g2hPNUAiEAleTizC6zi0EZIypSMBPG6kkRYgzdslitxgPkKL9II8M	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://uspsmyr.info	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://uspsnye.info	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, zgRAT	Browse	188.114.97.3
	buidl.exe	Get hash	malicious	XWorm	Browse	188.114.97.3
	IB987650098000044.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Legal Action Documents PDF.bat.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PAGO.08.12.2024.lnk.lnk	Get hash	malicious	Unknown	Browse	188.114.97.3
	rfq_commercial_order_GMlist_for_Drumedis_tender_august_quater_2024.vbs	Get hash	malicious	GuLoader, Remcos	Browse	188.114.97.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Insidious_protec_ad20de64d4f8f9f5d0b130c7f4277878f342ab27_e4ee48d4_2908e129-5d54-426d-afce-905897399c6d\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2067933120602308
Encrypted:	false
SSDEEP:	192:xCAoUrtFq80BU/ojeTmuSohJ/zuiFdZ24IO8p:gAoytFiBU/ojecsJ/zuiFdY4IO8p
MD5:	850EB406D97CE077481EBC07CD007D9B
SHA1:	98E35F6C387A07E74C075591D379820FA91CB6F6
SHA-256:	0FE11575DBAA91CA830F9E084787059ECBCD40EDF32566FD0889C7E9D14C131B
SHA-512:	C67F70735B6C819BE254D9A37B8EAA1989910B7EB0AC52F6E9E7472BBC6C652446F8EA2F4B9E0B57B4B5E4F5AD81D938032C229C6BA3DED901868C9B4C098947
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.8.5.5.9.3.1.7.4.4.0.7.9.9.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.8.5.5.9.3.1.9.1.4.3.9.2.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.0.8.e.1.2.9.-.5.d.5.4.-.4.2.6.d.-.a.f.c.e.-.9.0.5.8.9.7.3.9.9.c.6.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.3.d.c.5.3.e.9.-.b.f.7.6.-.4.e.b.5.-.b.c.f.d.-.9.f.8.6.a.5.9.b.8.2.c.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.n.s.i.d.i.o.u.s._.p.r.o.t.e.c.t.e.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.n.s.i.d.i.o.u.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.d.8.-.0.0.0.1.-.0.0.1.4.-.0.9.c.8.-.2.6.b.4.5.6.f.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.1.1.8.6.e.c.8.a.7.1.b.7.6.8.8.5.0.a.d.2.d.f.e.6.a.d.f.3.7.6.7.0.0.0.0.0.0.0.0.!.0.0.0.0.b.0.b.b.e.8.7.a.e.7.5.1.9.b.5.d.6.d.c.d.7.f.6.2.8.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER33B7.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Aug 19 16:41:58 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	361651
Entropy (8bit):	4.0239026922771455
Encrypted:	false
SSDEEP:	3072:K62QZACW54uEqIbx1LTg4GpmynutSWy4yFb5+r87N7prH:K6bjW54h9hTgHcyncSWh4bYGr
MD5:	01E8395B368FE595D87AFFB806360C93
SHA1:	A8CFD31D7D7C604D8EDDD4E46A1A5A4C791AD26F
SHA-256:	B61FEAF58AFD464749C97903BCFBF9672E445058E027BBFB042462026769C95A
SHA-512:	04BA3813650C2255C363A8BD49BB257A21D42190436BBAAC08A28C0613E4D55D3FDB39E1DD026868215B700CED21B6BC1E9096338C58768CC9C173E48043E521
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........u.f............4...........<...H.......$....)......t>...g..........`.......8...........T............M...6...........)...........+..............................................................................eJ......,,......GenuineIntel............T............u.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3955.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6422
Entropy (8bit):	3.7134083671386504
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbWgA6ARYZK0QE/fOOL5aM4UZ89bBxsfgrm:R6l7wVeJWv6mYZbBprZ89bBxsfgrm
MD5:	2DB6279B4E193228414C5B3415577AF5
SHA1:	7D956766A456D98E3F135AC31931F78F6E42ED32
SHA-256:	42B01E71A8FC01F1C312B18B4B2CF94E5ACF373BDDC7D8097F043B7E862BCE77
SHA-512:	B5098430A9598A0E4DC0B9C956BC56D2E01D234B4471702B4037570A66302C4A626A05E18F2177A621DF6052C84770F67ED16FA1D89DD98F27BF174C52A74947
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER39B4.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4807
Entropy (8bit):	4.482233772463647
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg77aI9ATWpW8VYtYm8M4JbSF/+q8vpkXCGs/rUd:uIjfFI7ai7VJJwKGXCF/rUd
MD5:	2E617CFC2D0295294F6E56874BF1F657
SHA1:	F40D78DBA4049C0DB550A7F149EB410BF9C38D7F
SHA-256:	A626E14443E8D90DC4F20D54498B41F60ED5F37362DC92F7E0094202E448D85A
SHA-512:	E89FCB6AED131C4B5F6344000FC86B4AD071885E13836C01DE568E0A3E37FFE9E5E4F612674AD9ACED8432B58F97D711BF476AFDAE8BF3430D6174D96863C29F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="462704" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\Insidious_protected.exe

Process:	C:\Users\user\Desktop\nyen2eabmfb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1241088
Entropy (8bit):	7.9864201442596885
Encrypted:	false
SSDEEP:	24576:c1VJqwlZcf4XH1yfEXk3vc8W/jr1STXLmPz63V2HTiViv4qWVLiO6:c1VrlSfI1WlE7/ITq76lslAZxiO6
MD5:	D9CCDE3B728FBA6D6E3F1B92C75A11A8
SHA1:	B0BBE87AE7519B5D6DCD7F6282E891922971942D
SHA-256:	D5A18B44A40E9BC1952BCE6E187B81926FFD358AA5EBE95921CDE2B9A72B172F
SHA-512:	738F1B568009A6DF2FCAF2F1C8ABA6AEE91B4A66474E095D6E483B72EBF1D5309D33908DD1531407A69520B657BDFA75C6B3EDA796C20BF1542B632030E58DB4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Y..........."..................... ........@.. ........................;...........`................................. @-...... .......................@-.................................................................................................. ......................@............ ..........................@............ ..........................@....rsrc.... ... ......................@.............(..@......................@....dhnhbfg.`...@-..B..................@...........................................T-Ta...`R9....N........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3155.tmp.tmpdb

Process:	C:\Users\user\AppData\Local\Temp\Insidious_protected.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3156.tmp.dat

Process:	C:\Users\user\AppData\Local\Temp\Insidious_protected.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp31A5.tmp.dat

Process:	C:\Users\user\AppData\Local\Temp\Insidious_protected.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp31D5.tmp.dat

Process:	C:\Users\user\AppData\Local\Temp\Insidious_protected.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3205.tmp.dat

Process:	C:\Users\user\AppData\Local\Temp\Insidious_protected.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3216.tmp.dat

Process:	C:\Users\user\AppData\Local\Temp\Insidious_protected.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3226.tmp.dat

Process:	C:\Users\user\AppData\Local\Temp\Insidious_protected.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3256.tmp.tmpdb

Process:	C:\Users\user\AppData\Local\Temp\Insidious_protected.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Process:	C:\Users\user\AppData\Local\Temp\Insidious_protected.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Windows\appcompat\Programs\Amcache.hve