Windows Analysis Report
bot.exe

AV Detection

Source: C:\Users\user\Desktop\bot.exe:a.dll

Avira: detection malicious, Label: HEUR/AGEN.1354117

Source: 2.2.bot.exe.140000000.0.unpack

Malware Configuration Extractor: Meduza Stealer {"C2 url": "109.107.181.162", "anti_vm": true, "anti_dbg": true, "port": 15666, "build_name": "15", "self_destruct": true, "extensions": "none", "links": "none", "grabber_max_size": 1048576}

Source: bot.exe	ReversingLabs: Detection: 42%
Source: bot.exe	Virustotal: Detection: 41%			Perma Link

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\bot.exe:a.dll

Joe Sandbox ML: detected

Cryptography

Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006FB80 CryptUnprotectData,LocalFree,		2_2_000000014006FB80
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140035CF7 CryptUnprotectData,LocalFree,		2_2_0000000140035CF7
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140035E00 CryptUnprotectData,		2_2_0000000140035E00
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006FEA0 CryptProtectData,LocalFree,		2_2_000000014006FEA0

Compliance

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49700 version: TLS 1.2

Source: bot.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Spreading

Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400B6740 FindClose,FindFirstFileExW,GetLastError,		2_2_00000001400B6740
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140034F90 FindFirstFileW,FindNextFileW,		2_2_0000000140034F90
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140035061 FindFirstFileW,FindNextFileW,		2_2_0000000140035061

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_000000014007EAB0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegCloseKey,GetLogicalDriveStringsW,GetTimeZoneInformation,

2_2_000000014007EAB0

Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\migration\			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\replacementmanifests\			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\migration\wtr\			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\			Jump to behavior

Software Vulnerabilities

Source: C:\Users\user\Desktop\bot.exe	Code function: 4x nop then push rdi		0_2_00007FF7F8A1C950
Source: C:\Users\user\Desktop\bot.exe	Code function: 4x nop then sub rsp, 28h		0_2_00007FF7F8A1C460
Source: C:\Users\user\Desktop\bot.exe	Code function: 4x nop then push rdi		2_2_00007FF7F8A1C950
Source: C:\Users\user\Desktop\bot.exe	Code function: 4x nop then sub rsp, 28h		2_2_00007FF7F8A1C460

Networking

Source: Network traffic	Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.7:49699 -> 109.107.181.162:15666
Source: Network traffic	Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.7:49699 -> 109.107.181.162:15666
Source: Network traffic	Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.7:49699 -> 109.107.181.162:15666

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000

Source: global traffic

TCP traffic: 192.168.2.7:49699 -> 109.107.181.162:15666

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: TELEPORT-TV-ASRU TELEPORT-TV-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_000000014007C5E0 recv,recv,closesocket,WSACleanup,

2_2_000000014007C5E0

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: bot.exe, 00000002.00000003.1455279514.000001EC26E80000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1455314455.000001EC26E84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.microsoft.t/Regi
Source: bot.exe, 00000002.00000003.1288855876.000001EC26E71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.microsoft.t/RegirF~b
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291311899.000001EC252D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: bot.exe, 00000002.00000003.1289744841.000001EC25264000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000002.1456698198.000001EC2524E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1324309551.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1311444530.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291311899.000001EC252D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291311899.000001EC252D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291311899.000001EC252D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1324309551.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1311444530.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290619963.000001EC27C15000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291065146.000001EC27C16000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290619963.000001EC27C15000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291065146.000001EC27C16000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290619963.000001EC27C15000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291065146.000001EC27C16000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: bot.exe	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1324309551.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1311444530.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: bot.exe, 00000002.00000003.1299473293.000001EC27020000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1306737156.000001EC285FA000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1299473293.000001EC27028000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1300909810.000001EC27D2A000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1299745214.000001EC27CE5000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1299745214.000001EC27D32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: bot.exe, 00000002.00000003.1300909810.000001EC27D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: bot.exe, 00000002.00000003.1300909810.000001EC27D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1324309551.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1311444530.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291311899.000001EC252D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1324309551.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1311444530.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: bot.exe, 00000002.00000003.1299473293.000001EC27020000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1306737156.000001EC285FA000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1299473293.000001EC27028000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1300909810.000001EC27D2A000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1299745214.000001EC27CE5000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1299745214.000001EC27D32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: bot.exe, 00000002.00000003.1300909810.000001EC27D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: bot.exe, 00000002.00000003.1300909810.000001EC27D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: bot.exe, 00000002.00000003.1301182951.000001EC2702F000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1306737156.000001EC28601000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1300909810.000001EC27D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: bot.exe, 00000002.00000003.1300909810.000001EC27D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: bot.exe, 00000002.00000003.1301182951.000001EC2702F000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1306737156.000001EC28601000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1300909810.000001EC27D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49700 version: TLS 1.2

System Summary

Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F89146A4 CreateToolhelp32Snapshot,Process32First,Process32Next,NtClose,		0_2_00007FF7F89146A4
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F8913060 GetCurrentProcess,NtQueryInformationProcess,GetTempPathA,strlen,strlen,memcpy,		0_2_00007FF7F8913060
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F8913C70 GetCurrentProcess,NtQueryInformationProcess,GetTempPathW,wcslen,wcslen,strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,		0_2_00007FF7F8913C70
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140082030 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,		2_2_0000000140082030
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400D06E8 NtAllocateVirtualMemory,		2_2_00000001400D06E8
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400819C5 NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,		2_2_00000001400819C5

Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F89134D0		0_2_00007FF7F89134D0
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F8913C70		0_2_00007FF7F8913C70
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F8935140		0_2_00007FF7F8935140
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F8916A40		0_2_00007FF7F8916A40
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F892DA84		0_2_00007FF7F892DA84
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F8917290		0_2_00007FF7F8917290
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F89134D0		0_2_00007FF7F89134D0
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F8925B20		0_2_00007FF7F8925B20
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F892D367		0_2_00007FF7F892D367
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F892C4A0		0_2_00007FF7F892C4A0
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F89364F0		0_2_00007FF7F89364F0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014008A06A		2_2_000000014008A06A
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014007E0B0		2_2_000000014007E0B0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014005F140		2_2_000000014005F140
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400421C0		2_2_00000001400421C0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014007F210		2_2_000000014007F210
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014008426B		2_2_000000014008426B
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140032334		2_2_0000000140032334
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014005A337		2_2_000000014005A337
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400743A0		2_2_00000001400743A0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014007E3D0		2_2_000000014007E3D0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014002F650		2_2_000000014002F650
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140086680		2_2_0000000140086680
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014003B740		2_2_000000014003B740
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014003C7E0		2_2_000000014003C7E0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014007EAB0		2_2_000000014007EAB0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140094B74		2_2_0000000140094B74
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014007FBE4		2_2_000000014007FBE4
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009ACF0		2_2_000000014009ACF0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140084CF0		2_2_0000000140084CF0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014007CDF0		2_2_000000014007CDF0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014002EF60		2_2_000000014002EF60
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009DFA0		2_2_000000014009DFA0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006E000		2_2_000000014006E000
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014004E000		2_2_000000014004E000
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140082030		2_2_0000000140082030
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400A7038		2_2_00000001400A7038
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140036050		2_2_0000000140036050
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006B0A0		2_2_000000014006B0A0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140092094		2_2_0000000140092094
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006A100		2_2_000000014006A100
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400D0138		2_2_00000001400D0138
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400D0160		2_2_00000001400D0160
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400D0158		2_2_00000001400D0158
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014005A337		2_2_000000014005A337
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140006180		2_2_0000000140006180
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140028200		2_2_0000000140028200
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009E21C		2_2_000000014009E21C
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140055250		2_2_0000000140055250
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009227C		2_2_000000014009227C
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400B92E0		2_2_00000001400B92E0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400532E0		2_2_00000001400532E0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400A22D8		2_2_00000001400A22D8
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140096300		2_2_0000000140096300
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140030305		2_2_0000000140030305
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140056340		2_2_0000000140056340
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140026340		2_2_0000000140026340
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140093344		2_2_0000000140093344
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140025350		2_2_0000000140025350
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140082380		2_2_0000000140082380
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014008E38C		2_2_000000014008E38C
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006A400		2_2_000000014006A400
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400A5464		2_2_00000001400A5464
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140092464		2_2_0000000140092464
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009C498		2_2_000000014009C498
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006E49A		2_2_000000014006E49A
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014004C500		2_2_000000014004C500
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140062510		2_2_0000000140062510
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400705A0		2_2_00000001400705A0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140006610		2_2_0000000140006610
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400596B0		2_2_00000001400596B0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400316D7		2_2_00000001400316D7
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006A730		2_2_000000014006A730
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140066750		2_2_0000000140066750
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400907A0		2_2_00000001400907A0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400A37AC		2_2_00000001400A37AC
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009E7A4		2_2_000000014009E7A4
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014008E884		2_2_000000014008E884
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014003394B		2_2_000000014003394B
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009B968		2_2_000000014009B968
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400269E0		2_2_00000001400269E0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140078A40		2_2_0000000140078A40
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006AA50		2_2_000000014006AA50
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140092AAC		2_2_0000000140092AAC
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400A6ACC		2_2_00000001400A6ACC
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140037AD2		2_2_0000000140037AD2
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400A1B68		2_2_00000001400A1B68
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400BBB80		2_2_00000001400BBB80
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006DBC0		2_2_000000014006DBC0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014002FC80		2_2_000000014002FC80
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140006D20		2_2_0000000140006D20
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014004AD30		2_2_000000014004AD30
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006AD70		2_2_000000014006AD70
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140005DB0		2_2_0000000140005DB0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009BE18		2_2_000000014009BE18
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140092E3C		2_2_0000000140092E3C
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006CE40		2_2_000000014006CE40
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140075E70		2_2_0000000140075E70
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014003BE96		2_2_000000014003BE96
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140072EC0		2_2_0000000140072EC0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009CF18		2_2_000000014009CF18
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F8A0C950		2_2_00007FF7F8A0C950
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F8916A40		2_2_00007FF7F8916A40
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F892DA84		2_2_00007FF7F892DA84
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F8925B20		2_2_00007FF7F8925B20
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F8913C70		2_2_00007FF7F8913C70
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F8935140		2_2_00007FF7F8935140
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F89F7220		2_2_00007FF7F89F7220
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F8917290		2_2_00007FF7F8917290
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F892D367		2_2_00007FF7F892D367
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F89134D0		2_2_00007FF7F89134D0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F892C4A0		2_2_00007FF7F892C4A0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F89364F0		2_2_00007FF7F89364F0

Source: C:\Users\user\Desktop\bot.exe	Code function: String function: 0000000140034B20 appears 41 times
Source: C:\Users\user\Desktop\bot.exe	Code function: String function: 000000014002DE50 appears 37 times
Source: C:\Users\user\Desktop\bot.exe	Code function: String function: 00007FF7F8A12CD0 appears 32 times
Source: C:\Users\user\Desktop\bot.exe	Code function: String function: 00000001400300A0 appears 79 times
Source: C:\Users\user\Desktop\bot.exe	Code function: String function: 000000014008D6C8 appears 59 times
Source: C:\Users\user\Desktop\bot.exe	Code function: String function: 000000014002DDE0 appears 49 times
Source: C:\Users\user\Desktop\bot.exe	Code function: String function: 00007FF7F8A1C0A0 appears 43 times

Source: bot.exe_a.dll.0.dr

Static PE information: Number of sections : 11 > 10

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/2

Source: C:\Users\user\Desktop\bot.exe

Code function: 0_2_00007FF7F89146A4 CreateToolhelp32Snapshot,Process32First,Process32Next,NtClose,

0_2_00007FF7F89146A4

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_000000014006CE40 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocStringByteLen,SysFreeString,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysFreeString,SysFreeString,SysStringByteLen,SysFreeString,SysFreeString,

2_2_000000014006CE40

Source: C:\Users\user\Desktop\bot.exe

File created: C:\Users\user\Desktop\bot.exe:a.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:576:120:WilError_03
Source: C:\Users\user\Desktop\bot.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E69636FA13009

Source: bot.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\bot.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bot.exe	ReversingLabs: Detection: 42%
Source: bot.exe	Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\bot.exe "C:\Users\user\Desktop\bot.exe"
Source: C:\Users\user\Desktop\bot.exe	Process created: C:\Users\user\Desktop\bot.exe "C:\Users\user\Desktop\bot.exe"
Source: C:\Users\user\Desktop\bot.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\bot.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Users\user\Desktop\bot.exe	Process created: C:\Users\user\Desktop\bot.exe "C:\Users\user\Desktop\bot.exe"			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\bot.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000			Jump to behavior

Source: C:\Users\user\Desktop\bot.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: rstrtmgr.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: vaultcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll			Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: bot.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: bot.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: bot.exe

Static file information: File size 2746880 > 1048576

Source: bot.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x10bc00
Source: bot.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x16f600

Source: bot.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation

Source: C:\Users\user\Desktop\bot.exe

Code function: 0_2_00007FF7F8913D77 strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll,

0_2_00007FF7F8913D77

Source: bot.exe	Static PE information: section name: .xdata
Source: bot.exe_a.dll.0.dr	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F892AAF6 push rsp; retf		0_2_00007FF7F892AAF9
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F892D857 push rax; iretd		0_2_00007FF7F892D858
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F892AAF6 push rsp; retf		2_2_00007FF7F892AAF9
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F892D857 push rax; iretd		2_2_00007FF7F892D858

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\bot.exe

File created: C:\Users\user\Desktop\bot.exe:a.dll

Jump to dropped file

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_00000001400741C2 OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,

2_2_00000001400741C2

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\bot.exe

File created: C:\Users\user\Desktop\bot.exe:a.dll

Jump to behavior

Source: C:\Users\user\Desktop\bot.exe	Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\bot.exe"
Source: C:\Users\user\Desktop\bot.exe	Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\bot.exe"			Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000			Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\bot.exe:a.dll

Jump to dropped file

Source: C:\Users\user\Desktop\bot.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\bot.exe

API coverage: 8.2 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400B6740 FindClose,FindFirstFileExW,GetLastError,		2_2_00000001400B6740
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140034F90 FindFirstFileW,FindNextFileW,		2_2_0000000140034F90
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140035061 FindFirstFileW,FindNextFileW,		2_2_0000000140035061

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_000000014007EAB0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegCloseKey,GetLogicalDriveStringsW,GetTimeZoneInformation,

2_2_000000014007EAB0

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_0000000140094A30 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

2_2_0000000140094A30

Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\migration\			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\replacementmanifests\			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\migration\wtr\			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\			Jump to behavior

Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: bot.exe, 00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1289744841.000001EC25264000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000002.1456698198.000001EC2524E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: bot.exe, 00000002.00000002.1456698198.000001EC2524E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}r
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\bot.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\bot.exe

Code function: 0_2_00007FF7F8913D77 strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll,

0_2_00007FF7F8913D77

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_000000014008D3D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_000000014008D3D8

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_00000001400B8A44 GetLastError,IsDebuggerPresent,OutputDebugStringW,

2_2_00000001400B8A44

Source: C:\Users\user\Desktop\bot.exe

Code function: 0_2_00007FF7F8913D77 strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll,

0_2_00007FF7F8913D77

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_00000001400A4D28 GetProcessHeap,

2_2_00000001400A4D28

Source: C:\Users\user\Desktop\bot.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F89111D9 SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,		0_2_00007FF7F89111D9
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400D02D8 SetUnhandledExceptionFilter,		2_2_00000001400D02D8
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014008D3D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_000000014008D3D8
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F89111D9 SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,		2_2_00007FF7F89111D9

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\bot.exe	NtQueryInformationProcess: Indirect: 0x7FF7F8913CAD			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	NtClose: Indirect: 0x7FF7F8914830
Source: C:\Users\user\Desktop\bot.exe	NtQueryInformationProcess: Indirect: 0x7FF7F8913098			Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Memory written: C:\Users\user\Desktop\bot.exe base: 140000000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Thread register set: target process: 6768

Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_0000000140072EC0 ShellExecuteW,

2_2_0000000140072EC0

Source: C:\Users\user\Desktop\bot.exe	Process created: C:\Users\user\Desktop\bot.exe "C:\Users\user\Desktop\bot.exe"			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\bot.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\bot.exe

Code function: 0_2_00007FF7F8914350 cpuid

0_2_00007FF7F8914350

Source: C:\Users\user\Desktop\bot.exe	Code function: EnumSystemLocalesW,		2_2_00000001400A409C
Source: C:\Users\user\Desktop\bot.exe	Code function: EnumSystemLocalesW,		2_2_00000001400A416C
Source: C:\Users\user\Desktop\bot.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		2_2_00000001400A4204
Source: C:\Users\user\Desktop\bot.exe	Code function: EnumSystemLocalesW,		2_2_0000000140099354
Source: C:\Users\user\Desktop\bot.exe	Code function: GetLocaleInfoW,		2_2_00000001400D0390
Source: C:\Users\user\Desktop\bot.exe	Code function: GetLocaleInfoEx,FormatMessageA,		2_2_00000001400B63B0
Source: C:\Users\user\Desktop\bot.exe	Code function: GetLocaleInfoW,		2_2_00000001400A4450
Source: C:\Users\user\Desktop\bot.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		2_2_00000001400A45A8
Source: C:\Users\user\Desktop\bot.exe	Code function: GetLocaleInfoW,		2_2_00000001400A4658
Source: C:\Users\user\Desktop\bot.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		2_2_00000001400A4784
Source: C:\Users\user\Desktop\bot.exe	Code function: GetLocaleInfoW,		2_2_0000000140099898
Source: C:\Users\user\Desktop\bot.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,		2_2_00000001400A3D50

Source: C:\Users\user\Desktop\bot.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Code function: 0_2_00007FF7F892B4F9 GetSystemTimeAsFileTime,

0_2_00007FF7F892B4F9

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_000000014007DCC0 GetUserNameW,

2_2_000000014007DCC0

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_000000014007F210 GetTimeZoneInformation,

2_2_000000014007F210

Stealing of Sensitive Information

Source: Yara match

File source: Process Memory Space: bot.exe PID: 6768, type: MEMORYSTR

Source: Yara match	File source: 00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bot.exe PID: 6768, type: MEMORYSTR

Source: bot.exe, 00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\config
Source: bot.exe, 00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash\config
Source: bot.exe, 00000002.00000003.1336291282.000001EC2944B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "software": "Ny1aaXAgMjMuMDEgKHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzNF0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNDddCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K",
Source: bot.exe, 00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: bot.exe, 00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore
Source: bot.exe, 00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Source: C:\Users\user\Desktop\bot.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Source: Yara match

File source: Process Memory Space: bot.exe PID: 6768, type: MEMORYSTR

Source: Yara match	File source: 00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bot.exe PID: 6768, type: MEMORYSTR