Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1540231
MD5: 126619fbbb061d7f4e5a595068249ce8
SHA1: 97bce4d9b978f39b2695b4e3cd24b027f10de317
SHA256: f2e4a4a886757ce7e2492cbc509d2d29fad5674d037482057f3ee77986892198
Tags: exeuser-jstrosch
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Suricata IDS alerts for network traffic
Contains functionality to automate explorer (e.g. start an application)
Contains functionalty to change the wallpaper
Creates HTML files with .exe extension (expired dropper behavior)
Found stalling execution ending in API Sleep call
Modifies the windows firewall
Sample is not signed and drops a device driver
Uses ipconfig to lookup or modify the Windows network settings
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01006205 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_01006205
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: d:\7MyProject\KHProject_VS2008\Seetrol_My\SeetrolClient\Release\SeetrolClient.pdb source: SeetrolClient.exe, SeetrolClient.exe, 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmp
Source: Binary string: wextract.pdb source: file.exe
Source: Binary string: D:\7MyProject\KHProject_VS2008\Seetrol_My\SeetrolPackage\ClientRun\Release\ClientRun.pdb source: ClientRun.exe, ClientRun.exe, 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: d:\7MyProject\KHProject_VS2008\Seetrol_My\SeetrolClient\Release\SeetrolClient.pdb$Pc source: SeetrolClient.exe, 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmp
Source: Binary string: D:\7MyProject\KHProject_VS2008\Seetrol_My\Seetrol_Clt\Release\screenhooks32.pdb source: ClientRun.exe, 00000001.00000003.2091014380.0000000000579000.00000004.00000020.00020000.00000000.sdmp, sthooks.dll.1.dr, sthooks.dll.0.dr
Source: Binary string: D:\7MyProject\KHProject_VS2008\Seetrol_My\SeetrolPackage\ClientRun\Release\ClientRun.pdb M<O source: ClientRun.exe, 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: ~.pdb source: STClientChat.exe.0.dr, STClientChat.exe.1.dr
Source: Binary string: SAS.pdbR source: sas.dll.0.dr, sas.dll.1.dr
Source: Binary string: SAS.pdb source: sas.dll.0.dr, sas.dll.1.dr
Source: Binary string: W+.pdb source: ClientRun.exe, 00000001.00000003.2090139584.0000000000578000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe.1.dr, SeetrolClient.exe.0.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01002A96 FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_01002A96
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: 1_2_004015E0 SHGetSpecialFolderPathA,_memset,_memset,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,__splitpath_s,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,wsprintfA,RemoveDirectoryA, 1_2_004015E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: 1_2_004023B0 _memset,FindFirstFileA,FindClose, 1_2_004023B0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0043A5C0 _sprintf,FindFirstFileA,_sprintf,FindNextFileA, 3_2_0043A5C0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_00432AD0 _memset,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,FindNextFileA,FindClose, 3_2_00432AD0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_00435040 GetLogicalDrives,_memset,_memset,GetSystemDefaultLangID,SHGetSpecialFolderPathA,SHGetFileInfo,_memset,SHGetSpecialFolderPathA,SHGetFileInfo,_memset,GetDriveTypeA,SHGetFileInfo,_memset,_memset,_memset,_sprintf,FindFirstFileA,_sprintf,_memset,FindNextFileA,FindClose, 3_2_00435040
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_00433470 _memset,_sprintf,FindFirstFileA,_sprintf,_sprintf,_memset,FindNextFileA,FindClose, 3_2_00433470
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_00479646 GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 3_2_00479646
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0040BE90 _memset,_memset,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,__splitpath_s,FindNextFileA,_sprintf,FindNextFileA,FindClose,_sprintf,RemoveDirectoryA, 3_2_0040BE90

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2020826 - Severity 1 - ET MALWARE Potential Dridex.Maldoc Minimal Executable Request : 192.168.2.5:49710 -> 139.150.75.206:80
Creates HTML files with .exe extension (expired dropper behavior)
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe File created: MirrInst32.exe.3.dr
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe File created: MirrInst64.exe.3.dr
Contains functionality to download and execute PE files
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0043D980 _sprintf,Sleep,_sprintf,DeleteUrlCacheEntry,URLDownloadToFileA,ShellExecuteW, 3_2_0043D980
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LGDACOMLGDACOMCorporationKR LGDACOMLGDACOMCorporationKR
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49710 -> 139.150.75.206:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /update4/SeetrolCenter.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.seetrol.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /update3/NetScan.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.seetrol.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0043E5D0 GetSystemDirectoryA,_sprintf,DeleteUrlCacheEntry,DeleteFileA,Sleep,_sprintf,DeleteUrlCacheEntry,URLDownloadToFileA,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry,CreateDirectoryA,CreateDirectoryA,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry,CreateDirectoryA,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry,CreateDirectoryA,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry,CreateDirectoryA,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry, 3_2_0043E5D0
Source: global traffic HTTP traffic detected: GET /update4/SeetrolCenter.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.seetrol.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /update3/NetScan.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.seetrol.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /update3/MirrInst32.exe HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic HTTP traffic detected: GET /update3/MirrInst64.exe HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic HTTP traffic detected: GET /update3/Install.txt HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic HTTP traffic detected: GET /update3/Uninstall.txt HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic HTTP traffic detected: GET /update3/068/dfmirage.cat HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic HTTP traffic detected: GET /update3/068/dfmirage.dll HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic HTTP traffic detected: GET /update3/068/dfmirage.inf HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic HTTP traffic detected: GET /update3/068/dfmirage.sys HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic HTTP traffic detected: GET /update3/105/dfmirage.cat HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic HTTP traffic detected: GET /update3/105/dfmirage.inf HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic HTTP traffic detected: GET /update3/105/x64/dfmirage.dll HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic HTTP traffic detected: GET /update3/105/x64/dfmirage.sys HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic HTTP traffic detected: GET /update3/105/x86/dfmirage.dll HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic HTTP traffic detected: GET /update3/105/x86/dfmirage.sys HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic DNS traffic detected: DNS query: www.seetrol.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:05 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 223Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 34 2f 53 65 65 74 72 6f 6c 43 65 6e 74 65 72 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update4/SeetrolCenter.exe was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:05 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 217Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 4e 65 74 53 63 61 6e 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/NetScan.exe was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:05 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 220Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 4d 69 72 72 49 6e 73 74 33 32 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/MirrInst32.exe was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:06 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 220Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 4d 69 72 72 49 6e 73 74 36 34 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/MirrInst64.exe was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:06 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 217Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 49 6e 73 74 61 6c 6c 2e 74 78 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/Install.txt was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:06 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 219Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 55 6e 69 6e 73 74 61 6c 6c 2e 74 78 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/Uninstall.txt was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:07 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 222Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 30 36 38 2f 64 66 6d 69 72 61 67 65 2e 63 61 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/068/dfmirage.cat was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:07 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 222Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 30 36 38 2f 64 66 6d 69 72 61 67 65 2e 64 6c 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/068/dfmirage.dll was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:07 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 222Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 30 36 38 2f 64 66 6d 69 72 61 67 65 2e 69 6e 66 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/068/dfmirage.inf was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:08 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 222Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 30 36 38 2f 64 66 6d 69 72 61 67 65 2e 73 79 73 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/068/dfmirage.sys was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:08 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 222Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 64 66 6d 69 72 61 67 65 2e 63 61 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/dfmirage.cat was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:08 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 222Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 64 66 6d 69 72 61 67 65 2e 69 6e 66 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/dfmirage.inf was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:09 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 226Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 78 36 34 2f 64 66 6d 69 72 61 67 65 2e 64 6c 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/x64/dfmirage.dll was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:09 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 226Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 78 36 34 2f 64 66 6d 69 72 61 67 65 2e 73 79 73 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/x64/dfmirage.sys was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:09 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 226Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 78 38 36 2f 64 66 6d 69 72 61 67 65 2e 64 6c 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/x86/dfmirage.dll was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:10 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 226Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 78 38 36 2f 64 66 6d 69 72 61 67 65 2e 73 79 73 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/x86/dfmirage.sys was not found on this server.</p></body></html>
Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr String found in binary or memory: http://s2.symcb.com0
Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr String found in binary or memory: http://sv.symcd.com0&
Source: ClientRun.exe, 00000001.00000003.2091014380.0000000000579000.00000004.00000020.00020000.00000000.sdmp, sthooks.dll.1.dr, sthooks.dll.0.dr String found in binary or memory: http://www.seetrol.com/
Source: SeetrolClient.exe, SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.seetrol.com/flash.html
Source: SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.seetrol.com/flash.htmlflash.htmlwww.seetrol.com901801701_01%s_%02d_
Source: SeetrolClient.exe, SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.seetrol.com/update3
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/068/dfmirage.cat4
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/068/dfmirage.cat_
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/068/dfmirage.dll
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/068/dfmirage.inf
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/068/dfmirage.sys
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/105/dfmirage.cat
Source: SeetrolClient.exe, 00000003.00000002.3342362857.0000000001100000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/105/dfmirage.catp
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/105/dfmirage.inf
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/105/x64/dfmirage.dll
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/105/x64/dfmirage.dll~
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3342362857.00000000010D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/105/x64/dfmirage.sys
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3342362857.00000000010D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/105/x86/dfmirage.dll
Source: SeetrolClient.exe, 00000003.00000002.3342362857.0000000001100000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/105/x86/dfmirage.dll8
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3343445746.0000000009ED6000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3342362857.00000000010D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/105/x86/dfmirage.sys
Source: SeetrolClient.exe, 00000003.00000002.3342362857.00000000010D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/105/x86/dfmirage.sysm
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/Install.txt
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/MirrInst32.exe
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/MirrInst32.exe9
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/MirrInst64.exe
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/MirrInst64.exe%
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/NetScan.exe
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/NetScan.exeNo
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/NetScan.exeVo
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/NetScan.exeZo
Source: SeetrolClient.exe, 00000003.00000002.3342362857.00000000010F3000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/Uninstall.txt
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update3/Uninstall.txt~GP
Source: SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.seetrol.com/update3WINDOWS
Source: SeetrolClient.exe, SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.seetrol.com/update4
Source: SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.seetrol.com/update4%s:
Source: SeetrolClient.exe, 00000003.00000002.3342362857.0000000001100000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3342362857.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update4/SeetrolCenter.exe
Source: SeetrolClient.exe, 00000003.00000002.3342362857.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update4/SeetrolCenter.exe3V
Source: SeetrolClient.exe, 00000003.00000002.3342362857.0000000001100000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.seetrol.com/update4/SeetrolCenter.exeh
Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: SeetrolClient.exe, 00000003.00000002.3342362857.0000000001100000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Contains functionality for read data from the clipboard
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0043F450 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard, 3_2_0043F450
Contains functionality to modify clipboard data
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0043F450 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard, 3_2_0043F450
Potential key logger detected (key state polling based)
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_004234C0 GetKeyState,InvalidateRect,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,InvalidateRect,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,SendMessageW, 3_2_004234C0

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0043A870 SystemParametersInfoW,CoInitialize,CoCreateInstance,CoUninitialize, 3_2_0043A870
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0043A930 CoInitialize,CoCreateInstance,CoUninitialize,SystemParametersInfoW, 3_2_0043A930
Contains functionality to delete services
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: 1_2_004014C0 OpenSCManagerA,OpenServiceA,GetLastError,CloseServiceHandle,QueryServiceStatus,ControlService,Sleep,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 1_2_004014C0
Contains functionality to launch a process as a different user
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0040F4B0 WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32FirstW,ProcessIdToSessionId,Process32NextW,LoadLibraryW,GetProcAddress,74591930,_memset,OpenProcess,OpenProcessToken,GetLastError,GetLastError,LookupPrivilegeValueW,DuplicateTokenEx,GetLastError,SetTokenInformation,AdjustTokenPrivileges,GetLastError,GetLastError,74AE7ED0,CreateProcessAsUserW,GetLastError,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 3_2_0040F4B0
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01002251 ExitWindowsEx, 0_2_01002251
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010019C3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx, 0_2_010019C3
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0044DC60 IsUserAnAdmin,Sleep,ExitWindowsEx, 3_2_0044DC60
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: ShellExecuteW, shutdown 3_2_0043BE60
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0044DE20 ExitWindowsEx,InitiateSystemShutdownExW,KillTimer,KillTimer,KillTimer,Sleep, 3_2_0044DE20
Creates driver files
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe File created: C:\Program Files (x86)\seetrol\client\068\dfmirage.sys Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe File deleted: C:\Windows\Prefetch\cadrespri.7db Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01008D30 0_2_01008D30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01009548 0_2_01009548
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01009982 0_2_01009982
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010086B0 0_2_010086B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010089C7 0_2_010089C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010090EF 0_2_010090EF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: 1_2_0040BB82 1_2_0040BB82
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0043B0F0 3_2_0043B0F0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0043FE80 3_2_0043FE80
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0044BFE0 3_2_0044BFE0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_00402150 3_2_00402150
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_004C8267 3_2_004C8267
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_004303F0 3_2_004303F0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_00410420 3_2_00410420
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_004C6EB0 3_2_004C6EB0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_004E6FD0 3_2_004E6FD0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_00401000 3_2_00401000
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_004012F0 3_2_004012F0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_00401359 3_2_00401359
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_00401510 3_2_00401510
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_004DF8C0 3_2_004DF8C0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0042B900 3_2_0042B900
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0043DA60 3_2_0043DA60
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: String function: 004B0CD8 appears 54 times
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: String function: 004B0BB1 appears 58 times
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: String function: 004ABC43 appears 81 times
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: String function: 00461613 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: String function: 00404CB8 appears 34 times
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: file.exe Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 1819553 bytes, 8 files, at 0x2c +A "ClientRun.exe" +A "Seetrol_Clt.exe", ID 11004, number 1, 60 datablocks, 0x1503 compression
Source: SeetrolClient.exe.0.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: STClientChat.exe.0.dr Static PE information: Resource name: RT_CURSOR type: DOS executable (COM)
Source: STClientChat.exe.0.dr Static PE information: Resource name: RT_CURSOR type: DOS executable (COM)
Source: STClientChat.exe.0.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM)
Source: STClientChat.exe.0.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM)
Source: STClientChat.exe.1.dr Static PE information: Resource name: RT_CURSOR type: DOS executable (COM)
Source: STClientChat.exe.1.dr Static PE information: Resource name: RT_CURSOR type: DOS executable (COM)
Source: STClientChat.exe.1.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM)
Source: STClientChat.exe.1.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM)
Source: SeetrolClient.exe.1.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.2082710319.00000000005EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSTClientChat.exe: vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameWEXTRACT.EXE t) vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: file.exe Static PE information: Section: .rsrc ZLIB complexity 0.9926522970530998
Source: Seetrol_Clt.exe.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9892071759259259
Source: STClientChat.exe.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.993204455596107
Source: STClientChat.exe.1.dr Static PE information: Section: UPX1 ZLIB complexity 0.993204455596107
Source: Seetrol_Clt.exe.1.dr Static PE information: Section: UPX1 ZLIB complexity 0.9892071759259259
Source: classification engine Classification label: mal76.rans.evad.winEXE@8/32@1/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0100456A lstrcpyA,GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,GetLastError,FormatMessageA,GetVolumeInformationA,GetLastError,FormatMessageA,SetCurrentDirectoryA,SetCurrentDirectoryA,lstrcpynA, 0_2_0100456A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010019C3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx, 0_2_010019C3
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: 1_2_00401210 AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,GetLastError,AdjustTokenPrivileges,GetLastError, 1_2_00401210
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0043C0C0 LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,GetLastError,AdjustTokenPrivileges,GetLastError, 3_2_0043C0C0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0043CE80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 3_2_0043CE80
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0040F4B0 WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32FirstW,ProcessIdToSessionId,Process32NextW,LoadLibraryW,GetProcAddress,74591930,_memset,OpenProcess,OpenProcessToken,GetLastError,GetLastError,LookupPrivilegeValueW,DuplicateTokenEx,GetLastError,SetTokenInformation,AdjustTokenPrivileges,GetLastError,GetLastError,74AE7ED0,CreateProcessAsUserW,GetLastError,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 3_2_0040F4B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01006A45 GetDiskFreeSpaceA,SetCurrentDirectoryA,MulDiv, 0_2_01006A45
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: IsUserAnAdmin,GetSystemMetrics,_memset,_memset,OpenSCManagerW,CloseServiceHandle,CreateServiceW,GetLastError,ChangeServiceConfig2W,ChangeServiceConfig2W,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 3_2_0040DB70
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: IsUserAnAdmin,GetSystemMetrics,_memset,_memset,OpenSCManagerW,CreateServiceW,GetLastError,ChangeServiceConfig2W,ChangeServiceConfig2W,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,Sleep,Sleep,ShellExecuteW,Sleep,CloseServiceHandle, 3_2_0040FF60
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: 1_2_00401000 CreateToolhelp32Snapshot,Process32First,Process32Next,NetWkstaGetInfo,CloseHandle, 1_2_00401000
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_00441C20 CoInitialize,CoCreateInstance,OutputDebugStringW,CoTaskMemFree,PropVariantClear,CoUninitialize, 3_2_00441C20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01005190 GetDlgItem,GetDlgItem,ShowWindow,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA, 0_2_01005190
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0040DB70 IsUserAnAdmin,GetSystemMetrics,_memset,_memset,OpenSCManagerW,CloseServiceHandle,CreateServiceW,GetLastError,ChangeServiceConfig2W,ChangeServiceConfig2W,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 3_2_0040DB70
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe File created: C:\Program Files (x86)\seetrol Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1984:120:WilError_03
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\_KHClient_APP_2345_5432_
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Command line argument: file.exe 1_2_00401C10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Command line argument: file.exe 1_2_00401C10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Command line argument: file 1_2_00401C10
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Command line argument: @KL 3_2_004C4A90
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SeetrolClient.exe String found in binary or memory: %s/Install.txt
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Process created: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe "C:\Program Files (x86)\seetrol\client\SeetrolClient.exe"
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\System32\ipconfig.exe" /flushdns
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Process created: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe "C:\Program Files (x86)\seetrol\client\SeetrolClient.exe" Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\System32\ipconfig.exe" /flushdns Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: advpack.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: mmdevapi.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: slc.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: ksuser.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: avrt.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: audioses.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: midimap.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Window detected: Number of UI elements: 18
Source: file.exe Static file information: File size 1886528 > 1048576
Source: file.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1c1a00
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\7MyProject\KHProject_VS2008\Seetrol_My\SeetrolClient\Release\SeetrolClient.pdb source: SeetrolClient.exe, SeetrolClient.exe, 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmp
Source: Binary string: wextract.pdb source: file.exe
Source: Binary string: D:\7MyProject\KHProject_VS2008\Seetrol_My\SeetrolPackage\ClientRun\Release\ClientRun.pdb source: ClientRun.exe, ClientRun.exe, 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: d:\7MyProject\KHProject_VS2008\Seetrol_My\SeetrolClient\Release\SeetrolClient.pdb$Pc source: SeetrolClient.exe, 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmp
Source: Binary string: D:\7MyProject\KHProject_VS2008\Seetrol_My\Seetrol_Clt\Release\screenhooks32.pdb source: ClientRun.exe, 00000001.00000003.2091014380.0000000000579000.00000004.00000020.00020000.00000000.sdmp, sthooks.dll.1.dr, sthooks.dll.0.dr
Source: Binary string: D:\7MyProject\KHProject_VS2008\Seetrol_My\SeetrolPackage\ClientRun\Release\ClientRun.pdb M<O source: ClientRun.exe, 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: ~.pdb source: STClientChat.exe.0.dr, STClientChat.exe.1.dr
Source: Binary string: SAS.pdbR source: sas.dll.0.dr, sas.dll.1.dr
Source: Binary string: SAS.pdb source: sas.dll.0.dr, sas.dll.1.dr
Source: Binary string: W+.pdb source: ClientRun.exe, 00000001.00000003.2090139584.0000000000578000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe.1.dr, SeetrolClient.exe.0.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01006205 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_01006205
PE file contains sections with non-standard names
Source: sthooks.dll.0.dr Static PE information: section name: .shared
Source: sthooks.dll.1.dr Static PE information: section name: .shared
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: 1_2_00404CFD push ecx; ret 1_2_00404D10
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_004B0C89 push ecx; ret 3_2_004B0C9C
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_004B0D1D push ecx; ret 3_2_004B0D30
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_004473EC push cs; retf 3_2_004473EF
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Sample is not signed and drops a device driver
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe File created: C:\Program Files (x86)\seetrol\client\068\dfmirage.sys Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe File created: C:\Program Files (x86)\seetrol\client\105\x64\dfmirage.sys Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe File created: C:\Program Files (x86)\seetrol\client\105\x86\dfmirage.sys Jump to behavior
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\System32\ipconfig.exe" /flushdns
Contains functionality to download and launch executables
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0043D980 _sprintf,Sleep,_sprintf,DeleteUrlCacheEntry,URLDownloadToFileA,ShellExecuteW, 3_2_0043D980
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\SeetrolClient.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\STClientChat.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe File created: C:\Program Files (x86)\seetrol\client\Seetrol_Clt.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe File created: C:\Program Files (x86)\seetrol\client\sthooks.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe File created: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\sas.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe File created: C:\Program Files (x86)\seetrol\client\sas.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe File created: C:\Program Files (x86)\seetrol\client\STUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Seetrol_Clt.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\sthooks.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\SeetrolMyService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe File created: C:\Program Files (x86)\seetrol\client\SeetrolMyService.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\STUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe File created: C:\Program Files (x86)\seetrol\client\STClientChat.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010026E2 LocalFree,lstrcpyA,lstrcpyA,lstrcmpiA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,wsprintfA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,wsprintfA,LocalAlloc,GetFileAttributesA, 0_2_010026E2
Creates or modifies windows services
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0040DB70 IsUserAnAdmin,GetSystemMetrics,_memset,_memset,OpenSCManagerW,CloseServiceHandle,CreateServiceW,GetLastError,ChangeServiceConfig2W,ChangeServiceConfig2W,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 3_2_0040DB70
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_004429A0 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,SetRect,GetClientRect, 3_2_004429A0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0043E1B0 IsIconic, 3_2_0043E1B0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0045E632 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect, 3_2_0045E632
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Stalling execution: Execution stalls by calling Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Window / User API: threadDelayed 1423 Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Window / User API: threadDelayed 756 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\STClientChat.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Dropped PE file which has not been started: C:\Program Files (x86)\seetrol\client\Seetrol_Clt.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Dropped PE file which has not been started: C:\Program Files (x86)\seetrol\client\sthooks.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\sas.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Dropped PE file which has not been started: C:\Program Files (x86)\seetrol\client\STUpdate.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Dropped PE file which has not been started: C:\Program Files (x86)\seetrol\client\sas.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Seetrol_Clt.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Dropped PE file which has not been started: C:\Program Files (x86)\seetrol\client\SeetrolMyService.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\SeetrolMyService.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\sthooks.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\STUpdate.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Dropped PE file which has not been started: C:\Program Files (x86)\seetrol\client\STClientChat.exe Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\file.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe API coverage: 8.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe TID: 4436 Thread sleep time: -42690s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Thread sleep count: Count: 1423 delay: -30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01002A96 FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_01002A96
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: 1_2_004015E0 SHGetSpecialFolderPathA,_memset,_memset,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,__splitpath_s,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,wsprintfA,RemoveDirectoryA, 1_2_004015E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: 1_2_004023B0 _memset,FindFirstFileA,FindClose, 1_2_004023B0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0043A5C0 _sprintf,FindFirstFileA,_sprintf,FindNextFileA, 3_2_0043A5C0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_00432AD0 _memset,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,FindNextFileA,FindClose, 3_2_00432AD0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_00435040 GetLogicalDrives,_memset,_memset,GetSystemDefaultLangID,SHGetSpecialFolderPathA,SHGetFileInfo,_memset,SHGetSpecialFolderPathA,SHGetFileInfo,_memset,GetDriveTypeA,SHGetFileInfo,_memset,_memset,_memset,_sprintf,FindFirstFileA,_sprintf,_memset,FindNextFileA,FindClose, 3_2_00435040
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_00433470 _memset,_sprintf,FindFirstFileA,_sprintf,_sprintf,_memset,FindNextFileA,FindClose, 3_2_00433470
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_00479646 GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 3_2_00479646
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0040BE90 _memset,_memset,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,__splitpath_s,FindNextFileA,_sprintf,FindNextFileA,FindClose,_sprintf,RemoveDirectoryA, 3_2_0040BE90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010052D4 lstrcpyA,lstrcpyA,GetSystemInfo,lstrcpyA,CreateDirectoryA,RemoveDirectoryA, 0_2_010052D4
Source: ClientRun.exe, 00000001.00000003.2093776662.0000000000550000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\R
Source: SeetrolClient.exe, 00000003.00000002.3342362857.00000000010F3000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3343445746.0000000009ED6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: ClientRun.exe, 00000001.00000003.2093776662.0000000000550000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}z
Source: SeetrolClient.exe, 00000003.00000002.3342362857.00000000010D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWss32
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: 1_2_00402478 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00402478
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: 1_2_004012C0 _memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,CreateToolhelp32Snapshot,Process32First,OpenProcess,TerminateProcess,Sleep,OpenProcess,GetLastError,TerminateProcess,CloseHandle,Sleep,OutputDebugStringA,Process32Next,CloseHandle,LookupPrivilegeValueA,CloseHandle, 1_2_004012C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01006205 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_01006205
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: 1_2_0040D2F5 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_0040D2F5
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010064DE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_010064DE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: 1_2_00402478 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00402478
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: 1_2_00404407 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00404407
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: 1_2_0040DF1E __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040DF1E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: 1_2_0040818B SetUnhandledExceptionFilter, 1_2_0040818B
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_004AB071 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_004AB071
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_004AD4AC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_004AD4AC

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to automate explorer (e.g. start an application)
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0044BFE0 GetModuleFileNameA,SetCurrentDirectoryA,Sleep,SetThreadExecutionState,GetSystemMenu,AppendMenuW,AppendMenuW,AppendMenuW,AppendMenuW,AppendMenuW,DeleteFileW,DeleteFileW,DeleteFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,Sleep,ShellExecuteW,SendMessageW,SendMessageW,SendMessageW,SetTimer,LoadImageA,LoadImageW,GetClientRect,KiUserCallbackDispatcher,GetWindowRect,GetWindowRect,GetWindowRect,SetRect,SetRect,SetRect,RtlInitializeCriticalSection,GetSystemMetrics,SetTimer,SetTimer,SetTimer,SetTimer,SendMessageW,KillTimer,SetTimer,SetTimer,Sleep,Sleep,Sleep,Sleep,SetTimer,SendMessageW,SetTimer,SendMessageW,KillTimer,SetTimer,SetTimer,Sleep,Sleep,Sleep,Sleep,Sleep,SendMessageW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,Sleep,Sleep,Sleep,Sleep,Sleep,SetTimer,SendMessageW,SendMessageW,SendMessageW,LoadIconW,SetTimer,SetTimer,FindWindowW,FindWindowExW,GetWindowRect,SendMessageW,SetTimer, 3_2_0044BFE0
Contains functionality to simulate keystroke presses
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_0043D150 keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event, 3_2_0043D150
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Process created: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe "C:\Program Files (x86)\seetrol\client\SeetrolClient.exe" Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\System32\ipconfig.exe" /flushdns Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01001760 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle, 0_2_01001760
Source: SeetrolClient.exe Binary or memory string: Shell_TrayWnd
Source: SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Cstop.animation.%dTray.{47BCDAC1-2E6F-4f9a-9A3F-68A3B97CE33E}ToolbarWindow32SysPagerTrayNotifyWndShell_TrayWnd
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe Code function: GetLocaleInfoA, 1_2_0040CB1D
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: GetLocaleInfoA, 3_2_004DC8BB
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_00441940 CreateNamedPipeW,DisconnectNamedPipe,ConnectNamedPipe,GetLastError,ReadFile,PostMessageW,CloseHandle,__endthread, 3_2_00441940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0100646B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0100646B
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_004BF1FE __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,GetLastError,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,SetOaNoCache,__invoke_watson, 3_2_004BF1FE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0100488C GetVersionExA,MessageBeep,MessageBoxA, 0_2_0100488C

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the windows firewall
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe Code function: 3_2_00434450 CreateDirectoryW,socket,setsockopt,setsockopt,closesocket,setsockopt,htons,bind,closesocket,listen,closesocket, 3_2_00434450
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1540231 Sample: file.exe Startdate: 23/10/2024 Architecture: WINDOWS Score: 76 49 www.seetrol.com 2->49 55 Suricata IDS alerts for network traffic 2->55 57 Contains functionalty to change the wallpaper 2->57 59 Creates HTML files with .exe extension (expired dropper behavior) 2->59 61 3 other signatures 2->61 10 file.exe 1 10 2->10         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\sthooks.dll, PE32 10->31 dropped 33 C:\Users\user\AppData\Local\Temp\...\sas.dll, PE32 10->33 dropped 35 C:\Users\user\AppData\...\Seetrol_Clt.exe, PE32 10->35 dropped 37 5 other files (none is malicious) 10->37 dropped 13 ClientRun.exe 13 10->13         started        process6 file7 39 C:\Program Files (x86)\...\SeetrolClient.exe, PE32 13->39 dropped 41 C:\Program Files (x86)\...\sthooks.dll, PE32 13->41 dropped 43 C:\Program Files (x86)\seetrol\...\sas.dll, PE32 13->43 dropped 45 4 other files (none is malicious) 13->45 dropped 16 SeetrolClient.exe 3 31 13->16         started        process8 dnsIp9 47 www.seetrol.com 139.150.75.206, 49710, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 16->47 25 C:\Program Files (x86)\...\dfmirage.sys, HTML 16->25 dropped 27 C:\Program Files (x86)\...\dfmirage.sys, HTML 16->27 dropped 29 C:\Program Files (x86)\...\dfmirage.sys, HTML 16->29 dropped 51 Modifies the windows firewall 16->51 53 Sample is not signed and drops a device driver 16->53 21 ipconfig.exe 1 16->21         started        file10 signatures11 process12 process13 23 conhost.exe 21->23         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
139.150.75.206
 www.seetrol.com Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true

Contacted Domains

Name IP Active
www.seetrol.com 139.150.75.206 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.seetrol.com/update3/NetScan.exe true
    		unknown
    http://www.seetrol.com/update4/SeetrolCenter.exe true
      		unknown