Windows Analysis Report
LETTERA DI CONFERMA DEL PAGAMENTO.exe

Overview

General Information

Sample name: LETTERA DI CONFERMA DEL PAGAMENTO.exe
Analysis ID: 1651192
MD5: a5550246c73f30ed5fd68bb236675d46
SHA1: 38eb7760ece55dcdd8943376da40f446bc9469d4
SHA256: 60727aaf2a23d1760c52945ee9b3fa1b39f155ff6ebf98b38a170fba58a6fdde
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://www.viatotor.cfd/awht/?Up5Dxd=8WWHC7wWqzabLylEqC4h4xSUa5Q1ERPluRInRnvP6aHLJY6FsD1in5Ba6ce0RJeZH7zN6VIqS0duX3wRoykHaMJocpJ8Lyik8tyRvKfKAYeOrifkhUVyVr4B9LR1&RtRt=H2TxDP-0yx Avira URL Cloud: Label: malware
Source: http://www.viatotor.cfd/awht/ Avira URL Cloud: Label: malware
Source: http://www.777assistant.xyz/s1k7/?RtRt=H2TxDP-0yx&Up5Dxd=zKlqO7QNcfetDPpTJRNWr1IyWy9Pz553WMXns1xrbNYpuLFGGplxzK50t++Wm/Dpu5XCEj5cJoLsJvwgvv1H2BlHGmx6spHmojpwT52SXD2CVd9QciE69D6Wx6Ed Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Virustotal: Detection: 42% Perma Link
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.419495871.0000000000290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.626895631.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.419524838.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.626885310.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.626989631.0000000000560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.626861797.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.481410737.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.419614314.0000000001FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.627085177.0000000003E60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 83.8%
Uses 32bit PE files
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: net1.pdb source: svchost.exe, 00000002.00000002.419501407.0000000000346000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.419501407.0000000000324000.00000004.00000020.00020000.00000000.sdmp, rGdWid9z.exe, 00000003.00000002.626998389.0000000000940000.00000004.00000020.00020000.00000000.sdmp, rGdWid9z.exe, 00000003.00000002.626998389.0000000000914000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: LETTERA DI CONFERMA DEL PAGAMENTO.exe, 00000000.00000003.355344717.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, LETTERA DI CONFERMA DEL PAGAMENTO.exe, 00000000.00000003.354380243.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.401261747.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.419535822.0000000000740000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.419535822.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.400899262.0000000000450000.00000004.00000020.00020000.00000000.sdmp, net1.exe, 00000004.00000003.419809000.00000000008D0000.00000004.00000020.00020000.00000000.sdmp, net1.exe, 00000004.00000002.627106356.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, net1.exe, 00000004.00000002.627106356.0000000000BE0000.00000040.00001000.00020000.00000000.sdmp, net1.exe, 00000004.00000003.419508364.0000000000760000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: net1.pdbN source: svchost.exe, 00000002.00000002.419501407.0000000000346000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.419501407.0000000000324000.00000004.00000020.00020000.00000000.sdmp, rGdWid9z.exe, 00000003.00000002.626998389.0000000000940000.00000004.00000020.00020000.00000000.sdmp, rGdWid9z.exe, 00000003.00000002.626998389.0000000000914000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: net1.exe, 00000004.00000002.627315561.000000000130C000.00000004.10000000.00040000.00000000.sdmp, net1.exe, 00000004.00000002.626998866.000000000068C000.00000004.00000020.00020000.00000000.sdmp, BupJjuMCJB.exe, 00000005.00000002.627266394.000000000307C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.482046973.00000000015AC000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rGdWid9z.exe, 00000003.00000002.626883011.000000000020F000.00000002.00000001.01000000.00000004.sdmp, BupJjuMCJB.exe, 00000005.00000002.627216674.000000000104F000.00000002.00000001.01000000.00000005.sdmp

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49163 -> 199.59.243.228:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49175 -> 104.26.0.177:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49171 -> 76.223.54.146:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49169 -> 104.21.94.162:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49177 -> 104.26.0.177:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49181 -> 162.254.38.217:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49176 -> 104.26.0.177:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49173 -> 76.223.54.146:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49166 -> 199.59.243.228:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49164 -> 199.59.243.228:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49165 -> 199.59.243.228:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49172 -> 76.223.54.146:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49161 -> 76.223.54.146:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49170 -> 104.21.94.162:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49179 -> 162.254.38.217:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49182 -> 162.254.38.217:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49168 -> 104.21.94.162:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49167 -> 104.21.94.162:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49174 -> 76.223.54.146:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49180 -> 162.254.38.217:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49178 -> 104.26.0.177:80
Performs DNS queries to domains with low reputation
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe DNS query: www.777assistant.xyz
Source: DNS query: www.031232899.xyz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.33.6.223 45.33.6.223
Source: Joe Sandbox View IP Address: 76.223.54.146 76.223.54.146
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: C:\Windows\SysWOW64\net1.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sqlite-dll-win32-x86-3360000[1].zip Jump to behavior
Source: global traffic HTTP traffic detected: GET /s1k7/?RtRt=H2TxDP-0yx&Up5Dxd=zKlqO7QNcfetDPpTJRNWr1IyWy9Pz553WMXns1xrbNYpuLFGGplxzK50t++Wm/Dpu5XCEj5cJoLsJvwgvv1H2BlHGmx6spHmojpwT52SXD2CVd9QciE69D6Wx6Ed HTTP/1.1Host: www.777assistant.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; ALE-L21 Build/HuaweiALE-L21) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic HTTP traffic detected: GET /2021/sqlite-dll-win32-x86-3360000.zip HTTP/1.1User-Agent: Mozilla/5.0 (Linux; Android 5.0; ALE-L21 Build/HuaweiALE-L21) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36Host: www.sqlite.orgConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /j7vq/?Up5Dxd=Bcl9cp41dlHcDC4N7AFqYtSrkG8XSNj0Dw08raKVYGNnS8Fk0dwOiPOkXhtRLsFmQzGgwtyTAOUIspu4tmMliVEfuoO5YMFyI/UM7bEFhyYTRsu/qMC3INXijMdt&RtRt=H2TxDP-0yx HTTP/1.1Host: www.hypehike.buzzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; ALE-L21 Build/HuaweiALE-L21) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic HTTP traffic detected: GET /awht/?Up5Dxd=8WWHC7wWqzabLylEqC4h4xSUa5Q1ERPluRInRnvP6aHLJY6FsD1in5Ba6ce0RJeZH7zN6VIqS0duX3wRoykHaMJocpJ8Lyik8tyRvKfKAYeOrifkhUVyVr4B9LR1&RtRt=H2TxDP-0yx HTTP/1.1Host: www.viatotor.cfdAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; ALE-L21 Build/HuaweiALE-L21) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic HTTP traffic detected: GET /tskx/?Up5Dxd=3FZsyYtvHJrwTHHvKE69JLGDZnzKmCnrMuqRAlJnKL7t2F6wJjOvapVJjCl/gRiWQVTLflE3WPZwa5xfwkUpPmC6JxN15cgxThe6GU7HJW2U+NF71xQUQBXCRD3d&RtRt=H2TxDP-0yx HTTP/1.1Host: www.ambitiouswomen.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; ALE-L21 Build/HuaweiALE-L21) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic HTTP traffic detected: GET /3lf9/?Up5Dxd=5GxzxjzYtuQVaXKi96wJQlL5jVVVED3gsqLy8xSnFJL9Njv/LCMj1519KCJv/YXWDbEHwXyFpdS6CdsXIHJjWfKOpLe5XFlJMx8QFerMn32IswyHn8LLdrliT4lw&RtRt=H2TxDP-0yx HTTP/1.1Host: www.morpakampus.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; ALE-L21 Build/HuaweiALE-L21) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic HTTP traffic detected: GET /qmo0/?Up5Dxd=s/riq2Gjc84WkOXIPYK3MDRDBcdtSPFB6JhYX0OHrW5JrEb3J4m1Tdn1DtTVCNN6q5y0/nExmx/pVjwhpLktH0ipuaSv5IUB3fbV39kfxE7kNJsXW33X5BidtZsd&RtRt=H2TxDP-0yx HTTP/1.1Host: www.streartex.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; ALE-L21 Build/HuaweiALE-L21) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic DNS traffic detected: DNS query: www.777assistant.xyz
Source: global traffic DNS traffic detected: DNS query: www.sqlite.org
Source: global traffic DNS traffic detected: DNS query: www.hypehike.buzz
Source: global traffic DNS traffic detected: DNS query: www.viatotor.cfd
Source: global traffic DNS traffic detected: DNS query: www.ambitiouswomen.net
Source: global traffic DNS traffic detected: DNS query: www.morpakampus.com
Source: global traffic DNS traffic detected: DNS query: www.streartex.live
Source: global traffic DNS traffic detected: DNS query: www.031232899.xyz
Source: unknown HTTP traffic detected: POST /j7vq/ HTTP/1.1Host: www.hypehike.buzzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Length: 2163Cache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedOrigin: http://www.hypehike.buzzReferer: http://www.hypehike.buzz/j7vq/User-Agent: Mozilla/5.0 (Linux; Android 5.0; ALE-L21 Build/HuaweiALE-L21) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36Data Raw: 55 70 35 44 78 64 3d 4d 65 4e 64 66 66 4d 4e 52 56 66 43 4e 53 73 62 75 68 49 7a 50 38 6d 56 70 33 73 33 51 2b 71 32 4d 43 49 57 71 72 79 6c 44 6c 6c 64 46 4f 38 4f 70 64 51 64 72 4c 4c 78 4f 41 64 6d 44 37 6c 69 4c 52 37 77 35 34 6d 58 61 74 30 55 6a 37 36 67 6d 57 45 4f 6a 58 35 6c 6c 5a 2b 6b 51 2f 35 73 59 4c 64 74 36 71 34 75 39 57 35 7a 56 76 2f 6a 2b 64 61 4f 4d 35 4c 49 77 34 74 6f 32 66 54 55 30 56 54 52 76 4c 43 43 32 39 72 31 59 34 70 47 72 58 51 57 49 4e 67 75 30 63 6b 4a 5a 76 35 65 63 47 59 53 4f 77 6e 37 73 52 6b 2f 63 79 61 46 37 33 6e 39 76 68 4f 59 6c 52 59 68 47 38 53 76 6f 37 58 6c 2f 73 78 62 34 6b 48 2b 79 78 31 41 4a 49 77 62 35 44 4c 6f 31 53 58 50 6a 6e 2b 6a 69 50 55 67 62 51 53 34 64 6f 62 5a 4d 36 67 38 44 56 4e 33 4a 37 4b 72 57 4d 74 34 44 71 2f 62 72 6a 66 54 48 64 68 36 69 6f 31 76 72 6a 76 45 45 69 54 64 6c 70 6b 39 6c 71 6d 6a 59 65 74 62 6f 69 5a 70 65 6e 42 43 6c 2b 34 49 43 65 52 53 55 33 6f 69 68 56 4b 68 47 6c 78 44 58 72 62 73 59 46 49 74 55 6a 66 70 6b 33 47 64 6d 67 42 70 4b 4c 76 59 56 62 72 62 36 52 59 44 30 48 67 7a 69 5a 52 6c 6e 52 69 47 6a 36 6a 61 6c 6d 4c 38 6d 4e 33 4e 4f 66 63 4c 63 73 4b 4e 66 6c 6c 42 74 4f 4e 70 7a 4f 51 55 61 63 43 78 6a 67 59 33 71 34 64 4a 30 79 61 51 65 69 46 6a 56 61 5a 65 6b 6a 76 4c 35 37 57 38 58 42 54 50 33 6b 70 44 55 35 73 44 51 35 54 6e 43 6a 79 53 64 2f 62 47 35 2b 70 76 2b 77 39 69 4f 67 37 63 33 71 65 56 74 45 71 4f 77 70 78 71 53 75 51 6e 73 2b 55 70 62 74 76 6b 41 50 70 62 72 31 67 70 31 43 41 58 71 35 59 77 55 48 6e 42 6a 7a 74 56 6e 59 76 67 53 4e 6c 66 67 4e 4c 39 6a 43 73 47 4f 48 50 4d 4f 6c 37 36 6c 78 38 61 5a 46 5a 59 4c 50 4f 4b 2b 76 56 70 37 5a 6c 54 38 31 64 72 57 55 36 62 2b 45 73 33 48 4d 51 65 42 65 6e 5a 36 7a 54 55 66 39 4e 72 2f 59 79 4b 71 30 37 50 59 44 6a 31 67 75 36 6f 55 51 39 67 36 7a 53 6e 4b 6e 48 39 43 6c 56 36 30 55 45 69 2f 36 49 63 63 4f 54 79 32 4a 43 76 70 49 56 42 6c 42 31 63 4f 31 66 57 33 4e 41 74 46 33 65 72 5a 79 30 48 39 51 75 42 73 61 5a 30 59 49 64 42 5a 64 69 64 7a 74 41 31 50 31 78 6a 58 74 71 58 58 4b 68 54 39 63 43 4f 47 4f 67 73 76 47 77 47 4f 6b 63 38 6a 74 73 73 48 7a 4a 2f 78 45 5a 39 64 43 73 35 62 6a 48 76 6f 32 41 70 77 35 46 58 39 44 68 4a 58 32 77 65 51 5a 76 73 6a 37 64 57 36 44 54 62 6e 4f 69 6f 73 76 44 4e 6b 35 36 72 43 58 41 52 7a 42 41 49 4b 69 37 76 6b 67 70 35 37 47 41 75 64 5a 46 4f 7a
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Mar 2025 13:34:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=43y23FhKx79Gk16HcoYUbnuqadjuX8whiep9DOCDqR3mgSDao2WnIh7jBusw47EZ9kysiupWnHhla75mdBLPbQyMUWbh3gzkpY6I3k3TxOXLr9a9sYYr2x4wbRU3O3e%2FDlKU"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9277820aa9dd0f59-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=106797&min_rtt=106797&rtt_var=53398&sent=3&recv=5&lost=0&retrans=0&sent_bytes=0&recv_bytes=2777&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Mar 2025 13:35:00 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vO%2B2eZwXwREyXyp08glH11SE4aqcatu%2FGY%2FRRg9JYykI9B9yyyUV871jMSSvkfsyieRBUfM%2Bfv6k9c%2BMPbifvtX37hdyCFZRtM6Pf4scB%2B8fVdgsj0n4DVZzLfzSzNTlWFjr"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9277821c1a184238-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=90326&min_rtt=90326&rtt_var=45163&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=816&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Mar 2025 13:35:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bVG2cloS8Wf2MCWYv0%2FOy2jcBoRcolgBG%2FEQLETpnrWfXDhwCRLaoQUhHsJa8TFspljcCi4f0Ks%2FxGskFf4AkLeprpkVK0opvIKmOEGScRk8UJUufrN5BbVuCKk7kZOrz%2FNj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9277822c8ab4e226-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=89732&min_rtt=89732&rtt_var=44866&sent=4&recv=7&lost=0&retrans=0&sent_bytes=0&recv_bytes=4241&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a Data Ascii: f
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Mar 2025 13:35:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xWmrW3qd%2Fuo90CZd6dtPY5BGkvfcTm%2B5LLdkKT1PS2eDmxB%2BrogMlk3TnEB8J6q2czJ%2B%2FcG5DCAltnNsCkhablQJpoum2nsFvnXqGlVL%2BHsw4eAhSltA5bdksMv0At2BbGPe"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9277823cf9d1f78f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=89267&min_rtt=89267&rtt_var=44633&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=555&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 65 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 Data Ascii: 4e3<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-f
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Mar 2025 13:35:47 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Mar 2025 13:35:50 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Mar 2025 13:35:53 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Mar 2025 13:35:55 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: net1.exe, 00000004.00000002.627948410.0000000061ECD000.00000008.00000001.01000000.00000008.sdmp, sqlite3.dll.4.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: BupJjuMCJB.exe, 00000005.00000002.626989631.00000000005B8000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.streartex.live
Source: BupJjuMCJB.exe, 00000005.00000002.626989631.00000000005B8000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.streartex.live/qmo0/
Source: net1.exe, 00000004.00000003.467962206.0000000006534000.00000004.00000020.00020000.00000000.sdmp, 1n61p-.4.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: net1.exe, 00000004.00000003.467962206.0000000006534000.00000004.00000020.00020000.00000000.sdmp, 1n61p-.4.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: net1.exe, 00000004.00000003.467962206.0000000006534000.00000004.00000020.00020000.00000000.sdmp, 1n61p-.4.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: net1.exe, 00000004.00000003.467962206.0000000006534000.00000004.00000020.00020000.00000000.sdmp, 1n61p-.4.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: net1.exe, 00000004.00000003.467962206.0000000006534000.00000004.00000020.00020000.00000000.sdmp, 1n61p-.4.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: net1.exe, 00000004.00000003.467962206.0000000006534000.00000004.00000020.00020000.00000000.sdmp, 1n61p-.4.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: net1.exe, 00000004.00000003.467962206.0000000006534000.00000004.00000020.00020000.00000000.sdmp, 1n61p-.4.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: net1.exe, 00000004.00000003.468329134.0000000006550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: net1.exe, 00000004.00000002.627691581.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, net1.exe, 00000004.00000002.627315561.0000000001886000.00000004.10000000.00040000.00000000.sdmp, BupJjuMCJB.exe, 00000005.00000002.627266394.00000000035F6000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: 1n61p-.4.dr String found in binary or memory: https://www.google.com/favicon.ico
Source: net1.exe, 00000004.00000002.627315561.0000000001D3C000.00000004.10000000.00040000.00000000.sdmp, BupJjuMCJB.exe, 00000005.00000002.627266394.0000000003AAC000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.morpakampus.com/3lf9/?Up5Dxd=5GxzxjzYtuQVaXKi96wJQlL5jVVVED3gsqLy8xSnFJL9Njv/LCMj1519KCJ

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.419495871.0000000000290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.626895631.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.419524838.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.626885310.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.626989631.0000000000560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.626861797.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.481410737.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.419614314.0000000001FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.627085177.0000000003E60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe, 00000000.00000002.359600734.0000000001314000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_de48dd3a-7
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe, 00000000.00000002.359600734.0000000001314000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_2d363ec6-d
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_5f01986e-3
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_bf02b5bf-c
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
PE file contains more sections than normal
Source: sqlite3.dll.4.dr Static PE information: Number of sections : 18 > 10
Sample file is different than original file name gathered from version info
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe, 00000000.00000003.354451283.0000000002B3D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs LETTERA DI CONFERMA DEL PAGAMENTO.exe
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe, 00000000.00000003.359072755.0000000002D90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs LETTERA DI CONFERMA DEL PAGAMENTO.exe
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe, 00000000.00000003.356094084.0000000002B3D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs LETTERA DI CONFERMA DEL PAGAMENTO.exe
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe, 00000000.00000002.359539393.0000000000777000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesvchost.exej% vs LETTERA DI CONFERMA DEL PAGAMENTO.exe
Searches the installation path of Mozilla Firefox
Source: C:\Windows\SysWOW64\net1.exe Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory Jump to behavior
Uses 32bit PE files
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/7@8/6
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe File created: C:\Users\user\AppData\Local\Temp\aut28B6.tmp Jump to behavior
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\net1.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: net1.exe, 00000004.00000002.627925855.0000000061EB2000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.4.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: net1.exe, 00000004.00000002.627925855.0000000061EB2000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.4.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: net1.exe, 00000004.00000002.627925855.0000000061EB2000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.4.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: net1.exe, 00000004.00000002.627925855.0000000061EB2000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.4.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: net1.exe, 00000004.00000002.627925855.0000000061EB2000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.4.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: net1.exe, 00000004.00000002.627925855.0000000061EB2000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.4.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: net1.exe, 00000004.00000002.627925855.0000000061EB2000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.4.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: net1.exe, 00000004.00000002.627925855.0000000061EB2000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.4.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: net1.exe, 00000004.00000002.627925855.0000000061EB2000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.4.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Virustotal: Detection: 42%
Source: unknown Process created: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe "C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe"
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe"
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\rGdWid9z.exe Process created: C:\Windows\SysWOW64\net1.exe "C:\Windows\SysWOW64\net1.exe"
Source: C:\Windows\SysWOW64\net1.exe Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe" Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\rGdWid9z.exe Process created: C:\Windows\SysWOW64\net1.exe "C:\Windows\SysWOW64\net1.exe" Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: browcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wdscore.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: riched32.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe File opened: C:\Windows\SysWOW64\RichEd32.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Static file information: File size 1170944 > 1048576
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: net1.pdb source: svchost.exe, 00000002.00000002.419501407.0000000000346000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.419501407.0000000000324000.00000004.00000020.00020000.00000000.sdmp, rGdWid9z.exe, 00000003.00000002.626998389.0000000000940000.00000004.00000020.00020000.00000000.sdmp, rGdWid9z.exe, 00000003.00000002.626998389.0000000000914000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: LETTERA DI CONFERMA DEL PAGAMENTO.exe, 00000000.00000003.355344717.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, LETTERA DI CONFERMA DEL PAGAMENTO.exe, 00000000.00000003.354380243.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.401261747.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.419535822.0000000000740000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.419535822.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.400899262.0000000000450000.00000004.00000020.00020000.00000000.sdmp, net1.exe, 00000004.00000003.419809000.00000000008D0000.00000004.00000020.00020000.00000000.sdmp, net1.exe, 00000004.00000002.627106356.0000000000A60000.00000040.00001000.00020000.00000000.sdmp, net1.exe, 00000004.00000002.627106356.0000000000BE0000.00000040.00001000.00020000.00000000.sdmp, net1.exe, 00000004.00000003.419508364.0000000000760000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: net1.pdbN source: svchost.exe, 00000002.00000002.419501407.0000000000346000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.419501407.0000000000324000.00000004.00000020.00020000.00000000.sdmp, rGdWid9z.exe, 00000003.00000002.626998389.0000000000940000.00000004.00000020.00020000.00000000.sdmp, rGdWid9z.exe, 00000003.00000002.626998389.0000000000914000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: net1.exe, 00000004.00000002.627315561.000000000130C000.00000004.10000000.00040000.00000000.sdmp, net1.exe, 00000004.00000002.626998866.000000000068C000.00000004.00000020.00020000.00000000.sdmp, BupJjuMCJB.exe, 00000005.00000002.627266394.000000000307C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.482046973.00000000015AC000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rGdWid9z.exe, 00000003.00000002.626883011.000000000020F000.00000002.00000001.01000000.00000004.sdmp, BupJjuMCJB.exe, 00000005.00000002.627216674.000000000104F000.00000002.00000001.01000000.00000005.sdmp
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: sqlite3.dll.4.dr Static PE information: section name: /4
Source: sqlite3.dll.4.dr Static PE information: section name: /19
Source: sqlite3.dll.4.dr Static PE information: section name: /31
Source: sqlite3.dll.4.dr Static PE information: section name: /45
Source: sqlite3.dll.4.dr Static PE information: section name: /57
Source: sqlite3.dll.4.dr Static PE information: section name: /70
Source: sqlite3.dll.4.dr Static PE information: section name: /81
Source: sqlite3.dll.4.dr Static PE information: section name: /92
Drops PE files
Source: C:\Windows\SysWOW64\net1.exe File created: C:\Users\user\AppData\Local\Temp\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe API/Special instruction interceptor: Address: 72D71C
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\net1.exe Window / User API: threadDelayed 9832 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\net1.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite3.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\net1.exe TID: 3616 Thread sleep count: 129 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe TID: 3616 Thread sleep time: -258000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe TID: 3676 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe TID: 3616 Thread sleep count: 9832 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe TID: 3616 Thread sleep time: -19664000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\net1.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\net1.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\net1.exe File Volume queried: C:\Users\user\AppData\Local FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtQueryInformationProcess: Direct from: 0x774CFAFA Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\rGdWid9z.exe NtCreateUserProcess: Direct from: 0x774D093E Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtCreateKey: Direct from: 0x774CFB62 Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtQuerySystemInformation: Direct from: 0x774D20DE Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtClose: Direct from: 0x774CFA02
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\rGdWid9z.exe NtWriteVirtualMemory: Direct from: 0x774D213E Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtCreateFile: Direct from: 0x774D00D6 Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtSetTimer: Direct from: 0x774D021A Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtOpenFile: Direct from: 0x774CFD86 Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtSetInformationThread: Direct from: 0x774E9893 Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtOpenKeyEx: Direct from: 0x774CFA4A Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtAllocateVirtualMemory: Direct from: 0x774CFAE2 Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtResumeThread: Direct from: 0x774D008D Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtOpenKeyEx: Direct from: 0x774D103A Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtDelayExecution: Direct from: 0x774CFDA1 Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtSetInformationProcess: Direct from: 0x774CFB4A Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtSetInformationThread: Direct from: 0x774CF9CE Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtReadFile: Direct from: 0x774CF915 Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtMapViewOfSection: Direct from: 0x774CFC72 Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtCreateThreadEx: Direct from: 0x774D08C6 Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtDeviceIoControlFile: Direct from: 0x774CF931 Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtRequestWaitReplyPort: Direct from: 0x753C6BCE Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtQueryValueKey: Direct from: 0x774CFACA Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtOpenSection: Direct from: 0x774CFDEA Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtProtectVirtualMemory: Direct from: 0x774D005A Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\rGdWid9z.exe NtWriteVirtualMemory: Direct from: 0x774CFE36 Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\rGdWid9z.exe NtRequestWaitReplyPort: Direct from: 0x756F8D92 Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtQueryVolumeInformationFile: Direct from: 0x774CFFAE Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtNotifyChangeKey: Direct from: 0x774D0F92 Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtQueryAttributesFile: Direct from: 0x774CFE7E Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\rGdWid9z.exe NtReadVirtualMemory: Direct from: 0x774CFEB2 Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtSetTimer: Direct from: 0x774E98D5 Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe NtQuerySystemInformation: Direct from: 0x774CFDD2 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\rGdWid9z.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\rGdWid9z.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\rGdWid9z.exe Section loaded: NULL target: C:\Windows\SysWOW64\net1.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: NULL target: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: NULL target: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\net1.exe Thread APC queued: target process: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\BupJjuMCJB.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\LETTERA DI CONFERMA DEL PAGAMENTO.exe" Jump to behavior
Source: C:\Program Files (x86)\EMNJeTTlkQkIIjjKIvaMmQrOemPJNTPsEGuuejKdptDmhgjWVyz\rGdWid9z.exe Process created: C:\Windows\SysWOW64\net1.exe "C:\Windows\SysWOW64\net1.exe" Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: LETTERA DI CONFERMA DEL PAGAMENTO.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: rGdWid9z.exe, 00000003.00000000.403059453.0000000000B80000.00000002.00000001.00040000.00000000.sdmp, rGdWid9z.exe, 00000003.00000002.627042938.0000000000B80000.00000002.00000001.00040000.00000000.sdmp, BupJjuMCJB.exe, 00000005.00000000.434017018.0000000001070000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: rGdWid9z.exe, 00000003.00000000.403059453.0000000000B80000.00000002.00000001.00040000.00000000.sdmp, rGdWid9z.exe, 00000003.00000002.627042938.0000000000B80000.00000002.00000001.00040000.00000000.sdmp, BupJjuMCJB.exe, 00000005.00000000.434017018.0000000001070000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: rGdWid9z.exe, 00000003.00000000.403059453.0000000000B80000.00000002.00000001.00040000.00000000.sdmp, rGdWid9z.exe, 00000003.00000002.627042938.0000000000B80000.00000002.00000001.00040000.00000000.sdmp, BupJjuMCJB.exe, 00000005.00000000.434017018.0000000001070000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: !Progman
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\net1.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cxex2xx0.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cxex2xx0.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cxex2xx0.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cxex2xx0.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cxex2xx0.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cxex2xx0.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cxex2xx0.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cxex2xx0.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.419495871.0000000000290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.626895631.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.419524838.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.626885310.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.626989631.0000000000560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.626861797.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.481410737.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.419614314.0000000001FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.627085177.0000000003E60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\net1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7 Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.419495871.0000000000290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.626895631.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.419524838.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.626885310.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.626989631.0000000000560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.626861797.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.481410737.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.419614314.0000000001FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.627085177.0000000003E60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1651192 Sample: LETTERA DI CONFERMA DEL PAG... Startdate: 28/03/2025 Architecture: WINDOWS Score: 100 32 www.031232899.xyz 2->32 34 031232899.xyz 2->34 48 Suricata IDS alerts for network traffic 2->48 50 Antivirus detection for URL or domain 2->50 52 Multi AV Scanner detection for submitted file 2->52 56 4 other signatures 2->56 10 LETTERA DI CONFERMA DEL PAGAMENTO.exe 2 2->10         started        signatures3 54 Performs DNS queries to domains with low reputation 32->54 process4 signatures5 70 Binary is likely a compiled AutoIt script file 10->70 72 Writes to foreign memory regions 10->72 74 Maps a DLL or memory area into another process 10->74 13 svchost.exe 10->13         started        process6 signatures7 76 Maps a DLL or memory area into another process 13->76 16 rGdWid9z.exe 13->16 injected process8 signatures9 44 Maps a DLL or memory area into another process 16->44 46 Found direct / indirect Syscall (likely to bypass EDR) 16->46 19 net1.exe 1 20 16->19         started        process10 dnsIp11 36 www.sqlite.org 45.33.6.223, 49162, 80 LINODE-APLinodeLLCUS United States 19->36 30 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->30 dropped 58 Tries to steal Mail credentials (via file / registry access) 19->58 60 Tries to harvest and steal browser information (history, passwords, etc) 19->60 62 Maps a DLL or memory area into another process 19->62 64 Queues an APC in another process (thread injection) 19->64 24 BupJjuMCJB.exe 19->24 injected 28 firefox.exe 19->28         started        file12 signatures13 process14 dnsIp15 38 www.777assistant.xyz 24->38 40 www.streartex.live 162.254.38.217, 49179, 49180, 49181 COGECO-PEER1CA United States 24->40 42 6 other IPs or domains 24->42 66 Found direct / indirect Syscall (likely to bypass EDR) 24->66 signatures16 68 Performs DNS queries to domains with low reputation 38->68
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.33.6.223
 www.sqlite.org United States
63949 LINODE-APLinodeLLCUS false
76.223.54.146
 www.ambitiouswomen.net United States
16509 AMAZON-02US true
104.21.94.162
 www.viatotor.cfd United States
13335 CLOUDFLARENETUS true
199.59.243.228
 94950.bodis.com United States
395082 BODIS-NJUS false
104.26.0.177
 www.morpakampus.com United States
13335 CLOUDFLARENETUS true
162.254.38.217
 www.streartex.live United States
13768 COGECO-PEER1CA true

Contacted Domains

Name IP Active
94950.bodis.com 199.59.243.228 true
www.ambitiouswomen.net 76.223.54.146 true
www.viatotor.cfd 104.21.94.162 true
031232899.xyz 144.76.229.203 true
www.streartex.live 162.254.38.217 true
www.777assistant.xyz 76.223.54.146 true
www.sqlite.org 45.33.6.223 true
www.morpakampus.com 104.26.0.177 true
www.hypehike.buzz unknown unknown
www.031232899.xyz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.morpakampus.com/3lf9/?Up5Dxd=5GxzxjzYtuQVaXKi96wJQlL5jVVVED3gsqLy8xSnFJL9Njv/LCMj1519KCJv/YXWDbEHwXyFpdS6CdsXIHJjWfKOpLe5XFlJMx8QFerMn32IswyHn8LLdrliT4lw&RtRt=H2TxDP-0yx true
  • Avira URL Cloud: safe
 unknown
http://www.viatotor.cfd/awht/?Up5Dxd=8WWHC7wWqzabLylEqC4h4xSUa5Q1ERPluRInRnvP6aHLJY6FsD1in5Ba6ce0RJeZH7zN6VIqS0duX3wRoykHaMJocpJ8Lyik8tyRvKfKAYeOrifkhUVyVr4B9LR1&RtRt=H2TxDP-0yx true
  • Avira URL Cloud: malware
 unknown
http://www.viatotor.cfd/awht/ true
  • Avira URL Cloud: malware
 unknown
http://www.hypehike.buzz/j7vq/?Up5Dxd=Bcl9cp41dlHcDC4N7AFqYtSrkG8XSNj0Dw08raKVYGNnS8Fk0dwOiPOkXhtRLsFmQzGgwtyTAOUIspu4tmMliVEfuoO5YMFyI/UM7bEFhyYTRsu/qMC3INXijMdt&RtRt=H2TxDP-0yx true
  • Avira URL Cloud: safe
 unknown
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip false
    		high
    http://www.hypehike.buzz/j7vq/ true
    • Avira URL Cloud: safe
    		 unknown
    http://www.streartex.live/qmo0/ true
    • Avira URL Cloud: safe
    		 unknown
    http://www.ambitiouswomen.net/tskx/?Up5Dxd=3FZsyYtvHJrwTHHvKE69JLGDZnzKmCnrMuqRAlJnKL7t2F6wJjOvapVJjCl/gRiWQVTLflE3WPZwa5xfwkUpPmC6JxN15cgxThe6GU7HJW2U+NF71xQUQBXCRD3d&RtRt=H2TxDP-0yx true
    • Avira URL Cloud: safe
    		 unknown
    http://www.morpakampus.com/3lf9/ true
    • Avira URL Cloud: safe
    		 unknown
    http://www.streartex.live/qmo0/?Up5Dxd=s/riq2Gjc84WkOXIPYK3MDRDBcdtSPFB6JhYX0OHrW5JrEb3J4m1Tdn1DtTVCNN6q5y0/nExmx/pVjwhpLktH0ipuaSv5IUB3fbV39kfxE7kNJsXW33X5BidtZsd&RtRt=H2TxDP-0yx true
    • Avira URL Cloud: safe
    		 unknown
    http://www.777assistant.xyz/s1k7/?RtRt=H2TxDP-0yx&Up5Dxd=zKlqO7QNcfetDPpTJRNWr1IyWy9Pz553WMXns1xrbNYpuLFGGplxzK50t++Wm/Dpu5XCEj5cJoLsJvwgvv1H2BlHGmx6spHmojpwT52SXD2CVd9QciE69D6Wx6Ed true
    • Avira URL Cloud: malware
    		 unknown
    http://www.ambitiouswomen.net/tskx/ true
    • Avira URL Cloud: safe
    		 unknown