Windows Analysis Report
eddzD2MA12.exe

Source: C:\Users\user\Desktop\eddzD2MA12.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_0016B020	10_2_0016B020
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001694E0	10_2_001694E0
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_00169C80	10_2_00169C80
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001823F5	10_2_001823F5
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001E8400	10_2_001E8400
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_00196502	10_2_00196502
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_0019265E	10_2_0019265E
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_0016E6F0	10_2_0016E6F0
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_0018282A	10_2_0018282A
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001989BF	10_2_001989BF
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001E0A3A	10_2_001E0A3A
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_00196A74	10_2_00196A74
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_00170BE0	10_2_00170BE0
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_0018CD51	10_2_0018CD51
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001BEDB2	10_2_001BEDB2
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001C8E44	10_2_001C8E44
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001E0EB7	10_2_001E0EB7
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_00196FE6	10_2_00196FE6
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001833B7	10_2_001833B7
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_0018F409	10_2_0018F409
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_0017D45D	10_2_0017D45D
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_0017F628	10_2_0017F628
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_00161663	10_2_00161663
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001816B4	10_2_001816B4
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_0016F6A0	10_2_0016F6A0
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001878C3	10_2_001878C3
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_00181BA8	10_2_00181BA8
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_0018DBA5	10_2_0018DBA5
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_00199CE5	10_2_00199CE5
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_0017DD28	10_2_0017DD28
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_0018BFD6	10_2_0018BFD6
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_00181FC0	10_2_00181FC0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\436117\Mother.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: String function: 00171A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: String function: 00188B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: String function: 00180D17 appears 70 times
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Code function: String function: 004062A3 appears 58 times

Source: eddzD2MA12.exe, 00000000.00000003.1691283902.0000000002AEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs eddzD2MA12.exe
Source: eddzD2MA12.exe, 00000000.00000003.1744427736.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs eddzD2MA12.exe
Source: eddzD2MA12.exe, 00000000.00000002.1745172242.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs eddzD2MA12.exe

Source: eddzD2MA12.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/14@2/1

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_001CA6AD GetLastError,FormatMessageW,

10_2_001CA6AD

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001B8DE9 AdjustTokenPrivileges,CloseHandle,		10_2_001B8DE9
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001B9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		10_2_001B9399

Source: C:\Users\user\Desktop\eddzD2MA12.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_001C4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

10_2_001C4148

Source: C:\Users\user\Desktop\eddzD2MA12.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_001C443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

10_2_001C443D

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03

Source: C:\Users\user\Desktop\eddzD2MA12.exe

File created: C:\Users\user\AppData\Local\Temp\nsb7CB5.tmp

Source: C:\Users\user\Desktop\eddzD2MA12.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Ra Ra.bat & Ra.bat

Source: eddzD2MA12.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\eddzD2MA12.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\eddzD2MA12.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: eddzD2MA12.exe	ReversingLabs: Detection: 31%
Source: eddzD2MA12.exe	Virustotal: Detection: 15%

Source: C:\Users\user\Desktop\eddzD2MA12.exe

File read: C:\Users\user\Desktop\eddzD2MA12.exe

Source: unknown	Process created: C:\Users\user\Desktop\eddzD2MA12.exe "C:\Users\user\Desktop\eddzD2MA12.exe"
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Ra Ra.bat & Ra.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 436117
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "NuclearRemarksReliabilityComputation" Young
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Ky + ..\Appears + ..\Educators + ..\Images + ..\Driver + ..\Generations + ..\Lol v
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\436117\Mother.pif Mother.pif v
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Ra Ra.bat & Ra.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 436117	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "NuclearRemarksReliabilityComputation" Young	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Ky + ..\Appears + ..\Educators + ..\Images + ..\Driver + ..\Generations + ..\Lol v	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\436117\Mother.pif Mother.pif v	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\eddzD2MA12.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: eddzD2MA12.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\eddzD2MA12.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_00188B75 push ecx; ret

10_2_00188B88

Persistence and Installation Behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001E59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		10_2_001E59B3
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_00175EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		10_2_00175EDA

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_001833B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_001833B7

Source: C:\Users\user\Desktop\eddzD2MA12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 10.2.Mother.pif.120f980.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mother.pif.120f980.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mother.pif.4220000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.2692560750.0000000001330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928936722.00000000012A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2929432512.0000000004221000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2692607414.00000000013A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2693129099.0000000001329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928983225.00000000013A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928795702.0000000001271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928795702.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2693002614.0000000001210000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2693129099.00000000012E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2692802688.000000000132F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2692696464.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mother.pif PID: 7568, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Mother.pif, 0000000A.00000003.2692696464.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\*.*\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL03:00:4503:00:4503:00:4503:00:4503:00:4503:00:45DELAYS.TMP%S%SNTDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_10-100756

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

API coverage: 4.1 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\eddzD2MA12.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\eddzD2MA12.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001C4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_001C4005
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001CC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_001CC2FF
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001C494A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_001C494A
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001CCD14 FindFirstFileW,FindClose,	10_2_001CCD14
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001CCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_001CCD9F
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001CF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_001CF5D8
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001CF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_001CF735
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001CFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_001CFA36
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001C3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_001C3CE2

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_00175D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_00175D13

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\436117	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\436117\	Jump to behavior

Source: Mother.pif, 0000000A.00000002.2928795702.0000000001254000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwarey
Source: Mother.pif, 0000000A.00000002.2928983225.00000000013F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Mother.pif, 0000000A.00000002.2928795702.0000000001254000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Mother.pif, 0000000A.00000002.2928795702.00000000011F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Process information queried: ProcessInformation

Yara detected Powershell download and execute

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_001D45D5 BlockInput,

10_2_001D45D5

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_00175240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00175240

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_00195CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

10_2_00195CAC

Source: C:\Users\user\Desktop\eddzD2MA12.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_001B88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

10_2_001B88CD

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_0018A354 SetUnhandledExceptionFilter,		10_2_0018A354
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_0018A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		10_2_0018A385

HIPS / PFW / Operating System Protection Evasion

Source: Yara match

File source: Process Memory Space: Mother.pif PID: 7568, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_001B9369 LogonUserW,

10_2_001B9369

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_00175240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00175240

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_001C1AC6 SendInput,keybd_event,

10_2_001C1AC6

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_001C51E2 mouse_event,

10_2_001C51E2

Source: C:\Users\user\Desktop\eddzD2MA12.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Ra Ra.bat & Ra.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 436117	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "NuclearRemarksReliabilityComputation" Young	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Ky + ..\Appears + ..\Educators + ..\Images + ..\Driver + ..\Generations + ..\Lol v	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\436117\Mother.pif Mother.pif v	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

10_2_001B88CD

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_001C4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_001C4F1C

Source: eddzD2MA12.exe, 00000000.00000003.1691283902.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, Mother.pif, 0000000A.00000002.2928095940.0000000000216000.00000002.00000001.01000000.00000006.sdmp, Purchased.0.dr, Mother.pif.1.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Mother.pif	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_0018885B cpuid

10_2_0018885B

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_001A0030 GetLocalTime,__swprintf,

10_2_001A0030

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_001A0722 GetUserNameW,

10_2_001A0722

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Code function: 10_2_0019416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

10_2_0019416A

Source: C:\Users\user\Desktop\eddzD2MA12.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 10.2.Mother.pif.120f980.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mother.pif.120f980.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mother.pif.4220000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.2692560750.0000000001330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928936722.00000000012A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2929432512.0000000004221000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2692607414.00000000013A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2693129099.0000000001329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928983225.00000000013A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928795702.0000000001271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928795702.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2693002614.0000000001210000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2693129099.00000000012E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2692802688.000000000132F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2692696464.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mother.pif PID: 7568, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 10.2.Mother.pif.120f980.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mother.pif.120f980.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mother.pif.4220000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.2692560750.0000000001330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928936722.00000000012A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2929432512.0000000004221000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2692607414.00000000013A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2693129099.0000000001329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928983225.00000000013A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928795702.0000000001271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928795702.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2693002614.0000000001210000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2693129099.00000000012E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2692802688.000000000132F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2692696464.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mother.pif PID: 7568, type: MEMORYSTR

Source: Mother.pif	Binary or memory string: WIN_81
Source: Mother.pif	Binary or memory string: WIN_XP
Source: Mother.pif	Binary or memory string: WIN_XPe
Source: Mother.pif	Binary or memory string: WIN_VISTA
Source: Mother.pif	Binary or memory string: WIN_7
Source: Mother.pif	Binary or memory string: WIN_8
Source: Mother.pif.1.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 10.2.Mother.pif.120f980.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mother.pif.120f980.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mother.pif.4220000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.2692560750.0000000001330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928936722.00000000012A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2929432512.0000000004221000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2692607414.00000000013A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2693129099.0000000001329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928983225.00000000013A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928795702.0000000001271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928795702.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2693002614.0000000001210000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2693129099.00000000012E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2692802688.000000000132F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2692696464.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mother.pif PID: 7568, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 10.2.Mother.pif.120f980.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mother.pif.120f980.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mother.pif.4220000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.2692560750.0000000001330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928936722.00000000012A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2929432512.0000000004221000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2692607414.00000000013A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2693129099.0000000001329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928983225.00000000013A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928795702.0000000001271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2928795702.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2693002614.0000000001210000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2693129099.00000000012E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2692802688.000000000132F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2692696464.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mother.pif PID: 7568, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001D696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		10_2_001D696E
Source: C:\Users\user\AppData\Local\Temp\436117\Mother.pif	Code function: 10_2_001D6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		10_2_001D6E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	11 Masquerading	LSA Secrets	231 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	4 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
eddzD2MA12.exe	32%	ReversingLabs	Win32.Trojan.Generic
eddzD2MA12.exe	16%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\436117\Mother.pif	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\436117\Mother.pif	11%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
t.me	149.154.167.99	true	false		high
EMlHLrRfRkqrlGndWg.EMlHLrRfRkqrlGndWg	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199800374635	false		high
https://t.me/gos90t	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.autoitscript.com/autoit3/J	eddzD2MA12.exe, 00000000.00000003.1691283902.0000000002AEB000.00000004.00000020.00020000.00000000.sdmp, Mother.pif, 0000000A.00000002.2928153099.0000000000229000.00000002.00000001.01000000.00000006.sdmp, Purchased.0.dr, Mother.pif.1.dr	false	high
https://t.me/	Mother.pif, 0000000A.00000002.2928795702.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, Mother.pif, 0000000A.00000002.2928795702.0000000001254000.00000004.00000020.00020000.00000000.sdmp, Mother.pif, 0000000A.00000002.2928795702.00000000011A4000.00000004.00000020.00020000.00000000.sdmp	false	high
https://t.me/gos90tD	Mother.pif, 0000000A.00000002.2928444243.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	eddzD2MA12.exe	false	high
https://t.me/gos90t213	Mother.pif, 0000000A.00000002.2928795702.0000000001254000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/profiles/76561199800374635do88eqMozilla/5.0	Mother.pif, 0000000A.00000003.2692560750.0000000001330000.00000004.00000800.00020000.00000000.sdmp, Mother.pif, 0000000A.00000002.2928936722.00000000012A0000.00000004.00000800.00020000.00000000.sdmp, Mother.pif, 0000000A.00000003.2692607414.00000000013A1000.00000004.00000800.00020000.00000000.sdmp, Mother.pif, 0000000A.00000002.2929432512.0000000004221000.00000040.00001000.00020000.00000000.sdmp, Mother.pif, 0000000A.00000002.2928983225.00000000013A0000.00000004.00000800.00020000.00000000.sdmp, Mother.pif, 0000000A.00000002.2928795702.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, Mother.pif, 0000000A.00000003.2693129099.0000000001329000.00000004.00000800.00020000.00000000.sdmp, Mother.pif, 0000000A.00000003.2693002614.0000000001210000.00000004.00000020.00020000.00000000.sdmp, Mother.pif, 0000000A.00000003.2693129099.00000000012E5000.00000004.00000800.00020000.00000000.sdmp, Mother.pif, 0000000A.00000002.2928795702.0000000001271000.00000004.00000020.00020000.00000000.sdmp, Mother.pif, 0000000A.00000003.2692802688.000000000132F000.00000004.00000800.00020000.00000000.sdmp, Mother.pif, 0000000A.00000003.2692696464.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.autoitscript.com/autoit3/	eddzD2MA12.exe, 00000000.00000003.1691283902.0000000002AEB000.00000004.00000020.00020000.00000000.sdmp, eddzD2MA12.exe, 00000000.00000002.1744747415.000000000041F000.00000004.00000001.01000000.00000003.sdmp, Purchased.0.dr, Mother.pif.1.dr	false	high
https://t.me/gos90tdo88eqsqlo.dllMozilla/5.0	Mother.pif, 0000000A.00000003.2692560750.0000000001330000.00000004.00000800.00020000.00000000.sdmp, Mother.pif, 0000000A.00000002.2928936722.00000000012A0000.00000004.00000800.00020000.00000000.sdmp, Mother.pif, 0000000A.00000003.2692607414.00000000013A1000.00000004.00000800.00020000.00000000.sdmp, Mother.pif, 0000000A.00000002.2929432512.0000000004221000.00000040.00001000.00020000.00000000.sdmp, Mother.pif, 0000000A.00000002.2928983225.00000000013A0000.00000004.00000800.00020000.00000000.sdmp, Mother.pif, 0000000A.00000002.2928795702.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, Mother.pif, 0000000A.00000003.2693129099.0000000001329000.00000004.00000800.00020000.00000000.sdmp, Mother.pif, 0000000A.00000003.2693002614.0000000001210000.00000004.00000020.00020000.00000000.sdmp, Mother.pif, 0000000A.00000003.2693129099.00000000012E5000.00000004.00000800.00020000.00000000.sdmp, Mother.pif, 0000000A.00000002.2928795702.0000000001271000.00000004.00000020.00020000.00000000.sdmp, Mother.pif, 0000000A.00000003.2692802688.000000000132F000.00000004.00000800.00020000.00000000.sdmp, Mother.pif, 0000000A.00000003.2692696464.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://t.me/r	Mother.pif, 0000000A.00000002.2928795702.00000000011F1000.00000004.00000020.00020000.00000000.sdmp	false	high
https://t.me/1	Mother.pif, 0000000A.00000002.2928795702.00000000011A4000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559926
Start date and time:	2024-11-21 07:15:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	eddzD2MA12.exe renamed because original name is a hash value
Original Sample Name:	1bc68d708e953bf10bbf6744a6b91b28.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@22/14@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 94 Number of non-executed functions: 300
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:16:03	API Interceptor	2224x Sleep call for process: Mother.pif modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.99	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	https://usapress.info/inside-the-last-words-of-dan-haggerty-aka-grizzly-adams-and-why-he-had-to-pull-the-plug-on-his-wife-of-20-years/	Get hash	malicious	Unknown	Browse	46.105.201.240
	https://l.facebook.com/l.php?u=https%3A%2F%2Fusapress.info%2Finside-the-last-words-of-dan-haggerty-aka-grizzly-adams-and-why-he-had-to-pull-the-plug-on-his-wife-of-20-years%2F%3Ffbclid%3DIwZXh0bgNhZW0CMTAAAR0r3IVxCUPtQPPqP5Ce0_adoAsiHgG3Oy1cYDq3k1JXBIrTGLtjToxlazM_aem_q02YsKkKY0QB_fm5suzUDw&h=AT1Xo_CkNlagO29_sds-m5zdTBZ6-H70m0J__7wjjmSNinwNGqBfRUFK3cH2zXJWNO7msrJPRkNulrkTmUCLkRNMcfCJTNK-cs4SfUQyRy7nw3vP1DNmFisBvlttaen8fHfi-N3lXN_BGQgdBw&__tn__=R%5D-R&c%5B0%5D=AT3euz91upHKeMVK8p24ktUFKClJ0GKt_3lJnV9tGakx0Tro3u7Ymk1z4tOG4eBZxcuD-Ny10eAla4iUyfdG04Fh4GryHwAMuELGG4dQctfWKiu4mfB-eLJ8Qktnq0ptzD_TaZEPEMHQnvP4W65jDpc-XBmWlMSmaRM-2soPhaPGYAODWegqP8h47S90Q2hmwQvQgUDdb35OgV1duzzqudMAyOk7e8E7mfpnrlwhIvWwUkK53AUNuPTqYkQ	Get hash	malicious	Unknown	Browse	46.105.201.240
	Unlock_Tool_v2.6.5.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	S0FTWARE.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	SOfQumBuFd.exe	Get hash	malicious	Binder HackTool, Stealc, Vidar	Browse	149.154.167.99
	https://page-speed-2950.my.salesforce-sites.com/support	Get hash	malicious	Unknown	Browse	104.26.6.129
	https://saas-agility-1324.my.salesforce-sites.com/support	Get hash	malicious	Unknown	Browse	104.26.7.129
	FW Important Exploit Has Been Identified In Your Account Steps to Resolve.msg	Get hash	malicious	Unknown	Browse	104.26.7.129
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	188.114.96.3
	AcroCEF.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	DEVIS_VALIDE.js	Get hash	malicious	XWorm	Browse	149.154.167.220
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	114117914 - Rebound Electronics.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	BOQ and Full Specification.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	HnJdZm51Xl.exe	Get hash	malicious	Amadey, Clipboard Hijacker	Browse	149.154.167.99
	YyA4O1TBSW.dll	Get hash	malicious	Unknown	Browse	149.154.167.99
	zlibwapi.dll.dll	Get hash	malicious	Unknown	Browse	149.154.167.99
	YyA4O1TBSW.dll	Get hash	malicious	Unknown	Browse	149.154.167.99
	zlibwapi.dll.dll	Get hash	malicious	Unknown	Browse	149.154.167.99
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	REQUEST SCHL-30112023-M1 Quotation_1033855_pdf.exe	Get hash	malicious	GuLoader	Browse	149.154.167.99
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	LxvS6uMf0g.exe	Get hash	malicious	Acrid Stealer	Browse	149.154.167.99
	LxvS6uMf0g.exe	Get hash	malicious	Unknown	Browse	149.154.167.99

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\436117\Mother.pif	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	file.exe	Get hash	malicious	XWorm	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Zhark RAT	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse
	ohDGVKFUNe.exe	Get hash	malicious	Unknown	Browse
	dX0P4SX3vv.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	invoice_template.pdf.lnk	Get hash	malicious	SmokeLoader	Browse
	KfoiTvEwmD.exe	Get hash	malicious	LummaC Stealer	Browse
	invoice_template.pdf.lnk	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\436117\Mother.pif

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5% Antivirus: Virustotal, Detection: 11%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: ohDGVKFUNe.exe, Detection: malicious, Browse Filename: dX0P4SX3vv.exe, Detection: malicious, Browse Filename: invoice_template.pdf.lnk, Detection: malicious, Browse Filename: KfoiTvEwmD.exe, Detection: malicious, Browse Filename: invoice_template.pdf.lnk, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\436117\v

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	445985
Entropy (8bit):	7.999553135122847
Encrypted:	true
SSDEEP:	12288:9aaVTTa5fGCVppcVcUYDbGiymi2d1Ftq4O:tTTifGCFcY6LmicrJO
MD5:	7DF1DBCDF8A4E466D1DE8C37E037A3B6
SHA1:	48B543C6E57EAEB31182D8156A4E1B4A10C63626
SHA-256:	FA5DF192AD32BF8D2894A42A3D4DA71D8095B815A0AE35CD1C96274540741216
SHA-512:	0C51DBBB2DC4CAD2A0008854F98D335505FAC2D432349F3F0A7B43025B7A6388FCB0B26B088993D814F89405598B507A109FD77D2AC432E9DA805727F4A73315
Malicious:	false
Preview:	..O-.d.we..=...=.......U......&......D>S./c.6E2(O....efoq..[)......5..VC..&.=..S..p.c.SlKx.....9..a.a.]g#i@.3.@d...{..e.0..."..fCn.......+.D.?",Q._[.:..w..yFT....r-......9i..}.8f..3.....Qb..\|w1m.....I......u.....\|.....Nb.s..}.R./%.3...1Ae-....2g.....`....$.f...I.....1 ....[..UO....A..m.... $%..."C....[.hlh.z....vb5...KY..yB.S.,.a....D..}.xw.[Tr`o.(.}.....&..`M.Ph.\.....;u...\.A..........hT......P....A>.8?#.7/...H..8.eO...)HGW...2.J..5..D5.pAn.....K..k~....r..R`.;mb.5 ..e~..z......-.9.f..y.....~^UF.s....1~..e.Zj2m.i..Y........W.x....3.R.\K...]..a\|.Zi;...y8v.....`..yw.c.X.[..i.J.b\.^9......;(k...~...=((\|....mRRbt.....ss.......`... ..z..Q.....L:..i......e....(yZ.SAc..F.\|.sQ....VO.Z..aV........T.s..,.cS_f.V..h[pM.1.....[..v........)...uaV.Q:.t._`.4.....s..p.....#....{....B..o9......X..*...E.^..<]....i#..1.(6.....I.+~.X...ras@d3....9i...P.....g.jq1.-.h.~T...C.Z.E....9U..I..%......`~"r..<70..V.`G..7...kX.Y..0.H3.z...O..._.}c..

C:\Users\user\AppData\Local\Temp\Appears

Process:	C:\Users\user\Desktop\eddzD2MA12.exe
File Type:	data
Category:	dropped
Size (bytes):	54272
Entropy (8bit):	7.996466576826274
Encrypted:	true
SSDEEP:	1536:DNCQZDfS0TBhXTCJQa+sUAMMlP7/kWJIOF7WtyS3CK:e02qQ/Pu4qj3H
MD5:	C5573F90C6D3ACDF359D137009ECF238
SHA1:	735942B7B1048344942109F71C200BC6E0291C52
SHA-256:	E51F1F69861837446D756F6CB863C4A8B6B1CF4D89B604A02CAE79BD05230E23
SHA-512:	5A971247F0AE4A37568B2EE8C84F32AE62A443B323FC0E63D422861575C52C9134870FF1BA4E73937ACE29FDA2BFD656B2D84FE88F89A22C7311A265DF0344B2
Malicious:	false
Preview:	.. .O.:~....#%..E.$...[w.-....m...U4....PX....h.\|n.xq.......k.4..a.Z...P..b...a..(..q.lj=.yp........MK..v.G..,J...+..h...$iz8...=...v$[\|.:.."J..o..."....X8..e.._.vR.d..i5.R.K.G.7..p.\|...09>-...Q.R......!Q.e....+U...e.q<H..]k1..tH.-..0...9.L.~.).....O;.r.`...6H.....CQ. <.v......W....\|....:c.....X.'CQv.g.......lKv^..c.....k5..-.mrD...I..l....~.,.@..#../%(.Z...}.0.^b...........+...+y...$.UC... ..GD^..y.7.Z...l...$.>.......4.:..[.P..MKX`4......6.!...6....R ...Fa[0Y.;....."......;3..w.e.j)e.L.0B.?...'.c..+.N.YT..U.}.sl.O....[.Gb../%uc.<.>.R:.}.....o.g'V..~.r...v.NN.t.].<...........'.........@..`V.I..M...-..}!....K....\xY.2..g.._..Yg.;~.a.XY.G9.+......).....nR.:1.....,.!...mzL.ox......\</I.d.._B.n......r......NO.?..)....\....~.i.h..u.t..).b..}w.(.pX..<.pkC.4,<}T..l...F..%....RH.2....)....H...4....e..A..~...?....:...J.......4.;...2.Yj.uS..yi+..1...n.%..\|{....%5K.S}Kx...........Q+\^..1..l.=Cw.?...T......=}l..6...4..*.m...O.....

C:\Users\user\AppData\Local\Temp\Driver

Process:	C:\Users\user\Desktop\eddzD2MA12.exe
File Type:	data
Category:	dropped
Size (bytes):	100352
Entropy (8bit):	7.998412135835442
Encrypted:	true
SSDEEP:	3072:47T+hZtp9BKhvJpUE5gx5ZmWucopj19oiKr057F:k+ZVcUESDuDpj1Giy0ZF
MD5:	A97BE012E03C4ADB9383B78B56857E04
SHA1:	804675871B186B4608746B41181D9C8035E8DAF2
SHA-256:	76E970842B79B21169B2C2A4A78467B686B56828072A863201EC0B00ED5D8367
SHA-512:	3DA11EC6F76B47FC625F98E66828CFED1A5D429508A08C57A2207298CF8D39351FA0E257CAE54ED4B92E27A6C8D3592BE2304B8393B5A18A38D0B8648F0F2903
Malicious:	false
Preview:	.....I. ..#6,....7B..Q..@....y....e.....N.......p.bKQ.C......Hk....v..{......w.QG.Oy\.(.....1..D...]..9{.y..`&...B..-fY.{...I......1OI....c....\|..Gr.R...W......R$..........g..Q..`M7c......f.\..)8...l...\|-c.$.Ra'.....5....9...{..@.G.L.P.....y..a.K.9.w...g..'.`.F+.xY..\.{.}.7.W.........>$.?....GM.p.U..:`..\7...{...i.....Azu\|... ..o..=...P..p7R..(WS..Rh;>..h. ..o.^...P..........cwx.,RA..].o_A..$b...10....!.......),...m......?[m.B;?K..\|w.....%.Of.1K...1.y.Z....V..4L.._.=.n.cho...Z........#..TU...U]^3..m....<Ysb5.U....'.1R.(....,Vyi....GyX..].aG... ...g..]...Q..U.iFH..@.@V..Mm...B3..[...b..n.g.......&.!,o=..^g.I.t.a.G.5N.......\.c........X..z.S.r..(...X.TF.5.%.......`.o.QJ...Q.U.6._.N<......W.X.t.6...re:.....hCy#...s.'K..&f.n..d..J.#....q.6+...k..`7.}VR:..9...:(...+N....g'.FIvJ...OT..}T.u=4...<..Y.a..t...\..@h.0.q.....4...w).T$e..E.}3..6..L....z..E.E..0m\..C....jk#..8...*..!.E.B...i.....Roc..:.}.1...o. ...h....3..`.9......\|XiD...

C:\Users\user\AppData\Local\Temp\Educators

Process:	C:\Users\user\Desktop\eddzD2MA12.exe
File Type:	data
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	7.997381347592521
Encrypted:	true
SSDEEP:	1536:AQdgtq99TD+B2/EFCk7EpOWe230L2qv0Z2BOn7+hJa:Dt99T1KCGEL9gvsZWu7H
MD5:	67AD7FCD7D2CC18081670270833FAF90
SHA1:	AD6286A0AD9B8E97C74AEE1157FA2E3784FE6F51
SHA-256:	18D43ED8EB3F314AF1E3D7A910686AA9866B0991AF1FC68291C4E96B69AD3128
SHA-512:	B5BD93D90798435721CB24A4758CE251377E338B53AD387BBBCCBCE0ECFC413F9612D0BF749851BE72DE15C3D093EA13C2BBB5347CE67973CCB999DA11C89272
Malicious:	false
Preview:	......`<.M0./nm.....3../P\...q.o.&9....r..z.....OF.Ymlal...".Vv.." p.w[{.#.ac....]Z...j..].t.......<b\|}.z.....$_....6#iL.4.!h...?.....-.N;%.cU.,..M..#.......e.@...e...g.i.-..{...u...d.2.......VWOOEG?.&....P.Q..........14...O..i.]..n..w.M.s....I.wr.q.\.r._.@.X..'\A..v.........5.P@Q........Em..=..%..bo..>53....)...S_......W^P.-..j]......B4.y../.....(?!4o....F..BnG........j..\|.W<d.....mH`.....9Z>[>....w7.,.......j..?_..Qv..A....+...^...\....K.....mf..$.N<C..7.u..`8c%~..l...E.d....p>M..%.~.E.N......]....9...d.GH..J.XJ..++.D.yd.0.0..`.w.xO/..9.+..%.Q0..!XO9...%...Q\|...?I..>Q.3x.Ld.l..z<~.rD....a>d.......BB......mh..d....9..I....`.p....V2\...1.D,-q}..q....{@@....>...G..<..`...x.AQ.^........3..(..qWz>K#..(...)\.\A6.}.!..qH....+K.g..._...7x...u..@3U.Y.6..Wi.....Rk.{.ma:^.4.h..2^......v..5......Xm....<".Rsv..#g....'...1Z.Q.d.r.o*.......#.G.o.G....ll:C...M.PS[",.6..O..."f.d..2'...(.#\|...SV.9T.y T......rc..s......3fs #....$..0...t...vA..6.2ma.S

C:\Users\user\AppData\Local\Temp\Generations

Process:	C:\Users\user\Desktop\eddzD2MA12.exe
File Type:	data
Category:	dropped
Size (bytes):	55296
Entropy (8bit):	7.996612473291405
Encrypted:	true
SSDEEP:	1536:AlWpehUdc2LAnaKrBqRCCIPtgPCaFHLip/MA:AEZdc2+aKNN18dFH+CA
MD5:	A416958F4CE3467BC4A4885C89650C63
SHA1:	D47A69CBA5A83FA4DED5FE6E1243FFDEF62768E2
SHA-256:	76B3187698AC2A4BEC709E28D0FF790955BCF2298174844070342F0B9E13409B
SHA-512:	5A4205384F8EC6F8DB8FCAFD521B04CC6370960E5951E03FC87CB7B25FA79E58F828A0B7BC623EE3ADAF19858C9B7CD82C385EC3EEC2BD1D9C0FD26DDBDA7845
Malicious:	false
Preview:	..p....i\.T.wAo.....)k"...z.p...@.W..7}.h.G.ZHx..<'...L.TN...S7..(b;M..S9..[...l.....0\.@\|.....e......r.Oz...A. ...!....}.vd.Ja.rvp..SZ.7B.d..].'......[1.`.h..V...?.BG.jO.5.T......1..W..T;.o.KX'..O&.Z'...(.<(;..g..^-.I_*.6_..$.?.(.m.;]f#H.....h.....e..a.......y.:..n...P^.lrJ(......r.u........g.K....v......t..[.....\......-.i....;&@.%.`..J8dyi...0.c..b....-%...P}......H.{...xIJ2........$............."..#...c.y .......x..E4y.&.>.hi.."...).QR5\...o.<....4...s..&.0.Hk..t.....M.NL.......L.e....=^.{.G".p..,.h.$K..:.K........pt....Na.....8`.....Q..E.:i.L.. m.`y.?.H3.u..P.......\..8..iA..q[.s.uF...x..[...!......e.=......2i..?...,.I.)m.-eR.\3.r~?...g..).eu...'...$.shs....v0w.+.w..d{(M../.."7.=....,.Y\..t.``.'-_{.zV......-.%L.D.o....k.B.9h....m....a4.`..<..M.FGt.&..1.D..VEH.K.....X}....`P......B6.i...4oFkS...F..t...C.i.s<.E...x..D?......8<..\T.]f.y..-6...n>.\.t.^.....=.]I.E..$'...I.{..&36.9I.. ..U~pY......v...b(XG.O.c.~.f.5..<Y.......k..$....l.mY

C:\Users\user\AppData\Local\Temp\Images

Process:	C:\Users\user\Desktop\eddzD2MA12.exe
File Type:	data
Category:	dropped
Size (bytes):	60416
Entropy (8bit):	7.996726756421775
Encrypted:	true
SSDEEP:	1536:lvSjEjdlBN+/hK1QOYbeeatYAViiiPXMiwEVxXTIUHqe:lcEZ1GhzKeatYAViiww2xDWe
MD5:	DFF732C8188D88453492EA60753F1C6A
SHA1:	606941677DA5B05F7A7D05B8CF67B8D030EA1004
SHA-256:	84725AB57A34DFF97906EB1528F4BEB008A09C3B5FF280ACCE3F3BAED38C9B3C
SHA-512:	2329726CFD62C2EB55AA636A21E2932A896DF17AA0B76B6AE3A1EA58E9A2E8DCBBDD93222BB068E095A9E536630B23CB579406B90800F5AAE3AB3B8AA50FF42B
Malicious:	false
Preview:	.e..t...r.G.;L....x!'.f..o..]d0.j../.w......9..Y'J.H_......h[.=.\....a..X5L.6.t..g..tC..e:.A-.e.....O..IrA\(...O7{'.6...)..$...Mu1....H ..4Ml..n....$.Gl3.&.. ...&........r..Eo...-aE...!....#n..`D...D...t.r)....].B.dv..D....Y..}.....a./...E.u..L..l....G..2.;. C..F?.f.......w,Ic&....w....8...Fq=..X5ma..X...Jq,.#..W..".a(..w..s.Sd-..........!. ..o.....4_.F..e$.y....... .......t..&dl......Z .........xO.qHp.b..#.%w...v.. ..t.Cz.3....h..sFL.O.zn.!.p...b..-.;#.a.d....q5...+y.K...0.n>9(..Rm.`...2_.igf.....$wh...r..}p...E.U..N....k.G.f....aX.r.G.......,st%.....G.!....&......?7U....5.U#.B.e}./H.......}....s....J..x.<J.....#..Wsc.l.]3....\|.>j-.....>..(.V.2...}.[&=qSoe.m$.i.:2...F..7kR>........l...N.y..@Z..*.}T^Tt[.....F..PqT..^...F....^,.l....N^.oECWV.P.....P.0......1.gl...'r....1....).....c.....ZpDZ...../i?......~.....hd.y.By]y5.a...=4(.,..5.x..<.._.o....(v..X.....9......w.MxfD.1......N....h....}7./..h...;z.g..M...A.2Q_..id....P............{.Z{..

C:\Users\user\AppData\Local\Temp\Ky

Process:	C:\Users\user\Desktop\eddzD2MA12.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	7.997657326549262
Encrypted:	true
SSDEEP:	1536:eg8UAomep7WrEIdT97P9LROpRfw9xc3r6SxgDnt:GUAfep7WrEIB97P9YLfwDc3rJx0t
MD5:	8A238B75196C747EC0DF18C80C159F5F
SHA1:	D22A286D0EE37507AF1CD8C9184BDAE37235836F
SHA-256:	DBED8DA0208234BB370DC2D0E28DFF1110AEB02EC7F1D18DF6511777E6565D9B
SHA-512:	5B6FCDA80821F61D46DCC5AE4618EB6278640F54A8573A097B0FBAFBE466C16F292A42613916D5F84E66043E2F21E939B7A8D457B08E13778E464AA4F45CBA96
Malicious:	false
Preview:	..O-.d.we..=...=.......U......&......D>S./c.6E2(O....efoq..[)......5..VC..&.=..S..p.c.SlKx.....9..a.a.]g#i@.3.@d...{..e.0..."..fCn.......+.D.?",Q._[.:..w..yFT....r-......9i..}.8f..3.....Qb..\|w1m.....I......u.....\|.....Nb.s..}.R./%.3...1Ae-....2g.....`....$.f...I.....1 ....[..UO....A..m.... $%..."C....[.hlh.z....vb5...KY..yB.S.,.a....D..}.xw.[Tr`o.(.}.....&..`M.Ph.\.....;u...\.A..........hT......P....A>.8?#.7/...H..8.eO...)HGW...2.J..5..D5.pAn.....K..k~....r..R`.;mb.5 ..e~..z......-.9.f..y.....~^UF.s....1~..e.Zj2m.i..Y........W.x....3.R.\K...]..a\|.Zi;...y8v.....`..yw.c.X.[..i.J.b\.^9......;(k...~...=((\|....mRRbt.....ss.......`... ..z..Q.....L:..i......e....(yZ.SAc..F.\|.sQ....VO.Z..aV........T.s..,.cS_f.V..h[pM.1.....[..v........)...uaV.Q:.t._`.4.....s..p.....#....{....B..o9......X..*...E.^..<]....i#..1.(6.....I.+~.X...ras@d3....9i...P.....g.jq1.-.h.~T...C.Z.E....9U..I..%......`~"r..<70..V.`G..7...kX.Y..0.H3.z...O..._.}c..

C:\Users\user\AppData\Local\Temp\Lol

Process:	C:\Users\user\Desktop\eddzD2MA12.exe
File Type:	data
Category:	dropped
Size (bytes):	24097
Entropy (8bit):	7.991655026434422
Encrypted:	true
SSDEEP:	384:Uj1Mu9se3TIyujVHOiVib92hMBJ46vjrRV1+iSLWNJ5wc91mOGt3u8poJtJstGHo:Ujse38y4Vuii92MJr8iSLWNJBkOGt3uc
MD5:	6D927FD0532E71575944F4B1DCBB1523
SHA1:	6AC1DC59FEA4DB99FBD653CABD548742536B1F52
SHA-256:	1430B10F35B6DC0CF7720C049644ED24F09A988E913BCF933F375E6747B68426
SHA-512:	70047A74EBAADD1FE0176ED7622831D95350B9836D50614C4F57BE2962677D6E2131385C920C24808E38B4332AACBE19D3D82FD7C4A85FBCAFE782D709545CE0
Malicious:	false
Preview:	..l .(.z............`....d2.K.`.\w...8.`..=.J..{........N.kJM.D....>$..'.@.\|9)Y....M.e$R....M...Ml..D.?....&........n{7lQ.)......@}...]p.D..R....6a....%.../....\|..+^.....M.1 ..`.+f..PP..G#{.....n.."sOzErB..?..C.....>....Qp...U..O}.x....L.%.nn....Ni.{.w..h....Ybr..1. 0`LN...P..Y".R.9{pW.?G....q.ut..>.{.DzV.(..\.......r..z..zd.N........&.._...0.S."..}.c..^.?\|x.].MS./....t...T.Z.....$....+a.4....Q......U..o......z.. ......c..+.7............\|.mM...;..H.[<..W...............=3.`4...:.>E...Q.^.m.F{T.a........=.....!.6F\5..a..Ut.B}..g.......B..uX.f.So.P%[e............Q^........-p..b..........B.iX..d.<...*.w..B...w.+..n.%^Y...6n.nH.G,.....S@(}D..{.J{......$.F=.L.x.....9.+[KP]&..;mfi.;#...(..._[.n..g.....7.....g.].....F6]37..3w....................]C...r.....&.U.Q>.....p+..l..........VH....;.G......=.........]I^...&O\|..n!.i..#...&..'..`.HE,.......\..~..0+...-..~..$.b.s...\..Ygu.s..F.."..J...I\.\....w..>8....;3.d..o.Sk..O...g.\|..D:..#.,...B....z

C:\Users\user\AppData\Local\Temp\Purchased

Process:	C:\Users\user\Desktop\eddzD2MA12.exe
File Type:	data
Category:	dropped
Size (bytes):	880314
Entropy (8bit):	6.620579004243944
Encrypted:	false
SSDEEP:	12288:Y0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:Yxz1JMyyzlohMf1tN70aw8501
MD5:	A8901D6FC635950EDCC6B5929837AAB9
SHA1:	709D5B08B7851AFD26A58AC1E3D934E795BA4B92
SHA-256:	84717869488D3D39419E4F460B019B0996A0FF5ADE09267AE90E2238C3F29FF2
SHA-512:	AC61F8C611B38D455026872EB28BE2F993CF741E60538D1BBEB2BDDE08BE89AA08A3F11A6544D9A36C0CAD3A5F175F7AF0E0D5798371F8398481B4CED09EBE54
Malicious:	false
Preview:	....D{'3....7....v....-....O.j.V.........@.3.@.2..I..?@.X.C..?@..?@.!@@.!@@...C...C..?@...C...C.!@@...C...C.U..QQS..VW...C.....G....._J.Ht0H.....H............].........].....At 3._^[..]..w.......n...3.;......3.@..U..QSVW..h.....].......}...Y...R..V.3................~.j.Yj.[..B.....1..;.....\|.]...3..............~.j......[..B.....1..;.....\|.]...3.j.Z.x..3.F..........Q.w...Y..3..A...9p.~..<..t5j..[...Y..t%.4............@......F;p.\|._^[..]...3.....@..$....V...F.....t%...y.............6.u...YV.n...Y..^.........U..E...u.........]...x...;........D....3............U..SV.u.W...................]..u.....F....;.}..W....._.........;.......M...3..~0..........$..............;......."...A...;.\|.W.3..~H......d$..........E..8....uE....h............E....9........Nu.........G..<..tM.E....A...._^[].}....?.}.....].........n.......V....8.....................j............t_j..z........tMh..I........F..F......E._...I..4...^.A....[].=....t.H....S..............s...3..3...3..D....U..QSV

C:\Users\user\AppData\Local\Temp\Ra

Process:	C:\Users\user\Desktop\eddzD2MA12.exe
File Type:	ASCII text, with very long lines (1468), with CRLF line terminators
Category:	dropped
Size (bytes):	28321
Entropy (8bit):	5.095045521355867
Encrypted:	false
SSDEEP:	768:0bKzHDOSJi6vz24/HNGRdFDBDCoqJbv95o99NxdX:UKzHiOi+fNGRdFDBD1q7Pk
MD5:	26B1281E56DC4459D424A42114A81646
SHA1:	380A5FB5DEB1F47F893C4D1D66B32CD895F6F631
SHA-256:	45933188786C2486DD71305748224F8675C9141FDBD9ECACA4051563B94434F1
SHA-512:	FECD98E3B1E63C1852763DDAF10F13B5BF50D5019A4E9685448D4F8EEF08433D4221FDBC974683A28ACA5698DDFE3BEFB987654D1650F27042A5F5F0538FC7AD
Malicious:	false
Preview:	Set Fw=n..eENonprofit-Furnished-Prices-Waters-..qfGConsistent-Naval-Proportion-Title-Quantitative-Del-Component-Distributions-Indicate-..qcxSBorn-..xYHMarathon-..mlerSupervisors-Violence-Contest-Ends-Cloud-Titles-Optimal-..Set Field=x..MUGyMaintains-Oliver-Contains-Indexed-Upgrading-Simplified-Lucy-Counted-Muslim-..zfEmbassy-Lewis-Provided-..YyoNPainful-Wood-Reconstruction-..sCGif-..liyReserve-Privacy-Representation-Relying-..kAcStats-Impressive-Advanced-Standings-Harder-..MVUpgrading-Commands-Dolls-Wisdom-Court-..ImYiRover-Commission-..lXAdapter-Delegation-Declared-Kingdom-Upskirt-Describe-Struct-..ifJustin-Change-Supplied-..Set Casting=I..qFmMWang-Australia-Mistress-Competition-Positive-Workshops-..zErToshiba-Div-..vUqInvisible-Admitted-..OLMPerforming-..UpMarried-Adidas-Assists-Disaster-Dist-Thomas-Trinity-Xhtml-..PyOIFaqs-Telecharger-Theories-Delhi-Beats-..ZvwLConsiderable-Fifth-..twSmScreenshots-Lift-..Set Crossing=h..WOfVb-..gBDisclaimers-Advanced-Et-Actively-Screen-Photographers

C:\Users\user\AppData\Local\Temp\Ra.bat

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1468), with CRLF line terminators
Category:	dropped
Size (bytes):	28321
Entropy (8bit):	5.095045521355867
Encrypted:	false
SSDEEP:	768:0bKzHDOSJi6vz24/HNGRdFDBDCoqJbv95o99NxdX:UKzHiOi+fNGRdFDBD1q7Pk
MD5:	26B1281E56DC4459D424A42114A81646
SHA1:	380A5FB5DEB1F47F893C4D1D66B32CD895F6F631
SHA-256:	45933188786C2486DD71305748224F8675C9141FDBD9ECACA4051563B94434F1
SHA-512:	FECD98E3B1E63C1852763DDAF10F13B5BF50D5019A4E9685448D4F8EEF08433D4221FDBC974683A28ACA5698DDFE3BEFB987654D1650F27042A5F5F0538FC7AD
Malicious:	false
Preview:	Set Fw=n..eENonprofit-Furnished-Prices-Waters-..qfGConsistent-Naval-Proportion-Title-Quantitative-Del-Component-Distributions-Indicate-..qcxSBorn-..xYHMarathon-..mlerSupervisors-Violence-Contest-Ends-Cloud-Titles-Optimal-..Set Field=x..MUGyMaintains-Oliver-Contains-Indexed-Upgrading-Simplified-Lucy-Counted-Muslim-..zfEmbassy-Lewis-Provided-..YyoNPainful-Wood-Reconstruction-..sCGif-..liyReserve-Privacy-Representation-Relying-..kAcStats-Impressive-Advanced-Standings-Harder-..MVUpgrading-Commands-Dolls-Wisdom-Court-..ImYiRover-Commission-..lXAdapter-Delegation-Declared-Kingdom-Upskirt-Describe-Struct-..ifJustin-Change-Supplied-..Set Casting=I..qFmMWang-Australia-Mistress-Competition-Positive-Workshops-..zErToshiba-Div-..vUqInvisible-Admitted-..OLMPerforming-..UpMarried-Adidas-Assists-Disaster-Dist-Thomas-Trinity-Xhtml-..PyOIFaqs-Telecharger-Theories-Delhi-Beats-..ZvwLConsiderable-Fifth-..twSmScreenshots-Lift-..Set Crossing=h..WOfVb-..gBDisclaimers-Advanced-Et-Actively-Screen-Photographers

C:\Users\user\AppData\Local\Temp\Young

Process:	C:\Users\user\Desktop\eddzD2MA12.exe
File Type:	data
Category:	dropped
Size (bytes):	13332
Entropy (8bit):	6.4283318329956955
Encrypted:	false
SSDEEP:	384:lHAHhww+/2nlP3r1WAL3yQZRMdTQmYwim12sBS:lgH7ACViIeTxYEhs
MD5:	D028D659AA8F3A0CB70A5E1135C4864B
SHA1:	6B64391EECD363CFDF66016121C031B422DEDDE3
SHA-256:	49B41333EFDEA958C04B064C9306DFE491B0E40F258BCA87383380DB72590294
SHA-512:	9668B8E3027A11733173A284DDAAB25635E283343D364B28FA7B45957B918AAB1EC16C831E29F64BA4916CC6A605810D72CA93041754C36D0B909BC98D900269
Malicious:	false
Preview:	NuclearRemarksReliabilityComputation..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B..........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\delays.tmp

Process:	C:\Users\user\AppData\Local\Temp\436117\Mother.pif
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	1048575
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:RGRGe:aZ
MD5:	185DC69D7858F155118FE630672BD132
SHA1:	A794F3401B7CA0B9FD7EE27E16F0FAC718B95ADD
SHA-256:	A6B6EB2188F24481091C1C0BBB069EACBF917559CFB0BDB67AB4ECC783559CC8
SHA-512:	8C7C19FC58C88EF5A9916AF8194FCF5E397CC674560D5F776E892D33BBE3EF7248B58FF3BB8ACF607EC0D45114B3C4349C2B5549C78F0A200F806F496A60DAF5
Malicious:	false
Preview:	########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.973067752286615
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	eddzD2MA12.exe
File size:	982'817 bytes
MD5:	1bc68d708e953bf10bbf6744a6b91b28
SHA1:	a6938a273e7a82cf4909ca40d224a6430f6a2860
SHA256:	9c46859695bed9bd827e2292e634c39e2982f40d9be6b170d185ae154a1a6a5f
SHA512:	d402f564fc707cdfd6b0853da5c70f0fe7b87e933ce4ff27b28325497dc70439db82bb02c12ed7f1ed804ee3730278117302489c645efbade654f7a9bbd48a06
SSDEEP:	24576:2aTm8nQDF5o5nsuru7m/vQ4MYTsPP+1b3PqfRQ2/9:7pQR2RszOQ4JgPYb3YR/9
TLSH:	762523B955D94829ECF603B27CF4E718DDF2FE561521C84F4280ECDDBBBA612840836A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....

File Icon


Icon Hash:	bebee8e8e4e6bee6

Static PE Info

General

Entrypoint:	0x403883
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409268h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082C0h]
push 00000008h
mov dword ptr [00472EB8h], eax
call 00007FC534F52E2Bh
push ebp
push 000002B4h
mov dword ptr [00472DD0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 00409264h
call dword ptr [00408184h]
push 0040924Ch
push 0046ADC0h
call 00007FC534F52B0Dh
call dword ptr [004080B0h]
push eax
mov edi, 004C30A0h
push edi
call 00007FC534F52AFBh
push ebp
call dword ptr [00408134h]
cmp word ptr [004C30A0h], 0022h
mov dword ptr [00472DD8h], eax
mov eax, edi
jne 00007FC534F503FAh
push 00000022h
pop esi
mov eax, 004C30A2h
push esi
push eax
call 00007FC534F527D1h
push eax
call dword ptr [00408260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007FC534F50483h
push 00000020h
pop ebx
cmp ax, bx
jne 00007FC534F503FAh
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b34	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0x11f9a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xdc2b9	0x2868	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x964	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dae	0x6e00	00499a6f70259150109c809d6aa0e6ed	False	0.6611150568181818	data	6.508529563136936	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a62	0x2c00	07990aaa54c3bc638bb87a87f3fb13e3	False	0.3526278409090909	data	4.390535020989255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x67ebc	0x200	014871d9a00f0e0c8c2a7cd25606c453	False	0.203125	data	1.4308602597540492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x73000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf4000	0x11f9a	0x12000	4789e46eb77fe7b118d830c3a7731a28	False	0.8902587890625	data	7.745743368597612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x106000	0xf32	0x1000	ae96beb401979f86e2224f2fb1bd6d8e	False	0.59033203125	data	5.423195658248352	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf4298	0x97c7	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.971972719083773
RT_ICON	0xfda60	0x3b0a	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	0.9915971946539632
RT_ICON	0x10156c	0x1824	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.001779935275081
RT_ICON	0x102d90	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.43500813669650124
RT_ICON	0x1053f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8413120567375887
RT_DIALOG	0x105860	0x100	data	English	United States	0.5234375
RT_DIALOG	0x105960	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x105a7c	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x105adc	0x4c	data	English	United States	0.7894736842105263
RT_VERSION	0x105b28	0x19c	data	English	United States	0.5776699029126213
RT_MANIFEST	0x105cc4	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 07:18:02.071057081 CET	49883	443	192.168.2.4	149.154.167.99
Nov 21, 2024 07:18:02.071095943 CET	443	49883	149.154.167.99	192.168.2.4
Nov 21, 2024 07:18:02.071228981 CET	49883	443	192.168.2.4	149.154.167.99
Nov 21, 2024 07:18:02.084779978 CET	49883	443	192.168.2.4	149.154.167.99
Nov 21, 2024 07:18:02.084794998 CET	443	49883	149.154.167.99	192.168.2.4
Nov 21, 2024 07:18:03.506453991 CET	443	49883	149.154.167.99	192.168.2.4
Nov 21, 2024 07:18:03.506644011 CET	49883	443	192.168.2.4	149.154.167.99

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 07:16:03.399926901 CET	50582	53	192.168.2.4	1.1.1.1
Nov 21, 2024 07:16:03.634114981 CET	53	50582	1.1.1.1	192.168.2.4
Nov 21, 2024 07:18:01.840046883 CET	61239	53	192.168.2.4	1.1.1.1
Nov 21, 2024 07:18:02.065943956 CET	53	61239	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 07:16:03.399926901 CET	192.168.2.4	1.1.1.1	0x7874	Standard query (0)	EMlHLrRfRkqrlGndWg.EMlHLrRfRkqrlGndWg	A (IP address)	IN (0x0001)	false
Nov 21, 2024 07:18:01.840046883 CET	192.168.2.4	1.1.1.1	0x8918	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 21, 2024 07:16:03.634114981 CET	1.1.1.1	192.168.2.4	0x7874	Name error (3)	EMlHLrRfRkqrlGndWg.EMlHLrRfRkqrlGndWg	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2024 07:18:02.065943956 CET	1.1.1.1	192.168.2.4	0x8918	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	01:15:57
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\eddzD2MA12.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\eddzD2MA12.exe"
Imagebase:	0x400000
File size:	982'817 bytes
MD5 hash:	1BC68D708E953BF10BBF6744A6B91B28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	01:15:59
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Ra Ra.bat & Ra.bat
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	01:15:59
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	01:16:00
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x840000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	01:16:00
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0xb90000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	01:16:01
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x840000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	01:16:01
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Imagebase:	0xb90000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	01:16:02
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 436117
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	01:16:02
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "NuclearRemarksReliabilityComputation" Young
Imagebase:	0xb90000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	01:16:02
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Ky + ..\Appears + ..\Educators + ..\Images + ..\Driver + ..\Generations + ..\Lol v
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	01:16:02
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\436117\Mother.pif
Wow64 process (32bit):	true
Commandline:	Mother.pif v
Imagebase:	0x160000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.2692560750.0000000001330000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000003.2692560750.0000000001330000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000A.00000003.2692560750.0000000001330000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.2928936722.00000000012A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.2928936722.00000000012A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000A.00000002.2928936722.00000000012A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.2929432512.0000000004221000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.2929432512.0000000004221000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000A.00000002.2929432512.0000000004221000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.2692607414.00000000013A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000003.2692607414.00000000013A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000A.00000003.2692607414.00000000013A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.2693129099.0000000001329000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000003.2693129099.0000000001329000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000A.00000003.2693129099.0000000001329000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.2928983225.00000000013A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.2928983225.00000000013A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000A.00000002.2928983225.00000000013A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.2928795702.0000000001271000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.2928795702.0000000001271000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000A.00000002.2928795702.0000000001271000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.2928795702.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.2928795702.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000A.00000002.2928795702.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.2693002614.0000000001210000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000003.2693002614.0000000001210000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000A.00000003.2693002614.0000000001210000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.2693129099.00000000012E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000003.2693129099.00000000012E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000A.00000003.2693129099.00000000012E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.2692802688.000000000132F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000003.2692802688.000000000132F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000A.00000003.2692802688.000000000132F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.2692696464.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000003.2692696464.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000A.00000003.2692696464.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 5%, ReversingLabs Detection: 11%, Virustotal, Browse
Reputation:	moderate
Has exited:	false

Target ID:	11
Start time:	01:16:02
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xe10000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true