Windows Analysis Report
y1X5s1Oz0Q.exe

Overview

General Information

Sample name: y1X5s1Oz0Q.exe
renamed because original name is a hash value
Original sample name: ffe58002561c927433fb391a123c9f23.exe
Analysis ID: 1416002
MD5: ffe58002561c927433fb391a123c9f23
SHA1: 7b8d97cef22c86e4c514b78d9ac529357c98d4d3
SHA256: bfba1372de8815592db5b58d15e36ecfad1428bd34aea1161b3552cedbc6ca49
Tags: 32exe
Infos:

Detection

BitRAT, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected BitRAT
Yara detected MSILDownloaderGeneric
Yara detected PureLog Stealer
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Creates files in alternative data streams (ADS)
Drops VBS files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Opens the same file many times (likely Sandbox evasion)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a global mouse hook
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: y1X5s1Oz0Q.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Avira: detection malicious, Label: HEUR/AGEN.1323343
Found malware configuration
Source: 00000000.00000002.2095919147.0000000008471000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: BitRat {"Host": "103.153.182.247", "Port": "6161", "Tor Port": "0", "Install Dir": "Install path", "Install File": "Install name", "Communication Password": "81dc9bdb52d04dc20036dbd8313ed055", "Tor Process Name": "tor", "Version": "1.38"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe ReversingLabs: Detection: 36%
Multi AV Scanner detection for submitted file
Source: y1X5s1Oz0Q.exe ReversingLabs: Detection: 36%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: y1X5s1Oz0Q.exe Joe Sandbox ML: detected
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2083733249.0000000002E87000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_a0b1175c-1
Uses 32bit PE files
Source: y1X5s1Oz0Q.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: y1X5s1Oz0Q.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: y1X5s1Oz0Q.exe, 00000000.00000002.2083733249.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, y1X5s1Oz0Q.exe, 00000000.00000002.2093679696.0000000006300000.00000004.08000000.00040000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003521000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: y1X5s1Oz0Q.exe, 00000000.00000002.2083733249.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, y1X5s1Oz0Q.exe, 00000000.00000002.2093679696.0000000006300000.00000004.08000000.00040000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003521000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: y1X5s1Oz0Q.exe, 00000000.00000002.2083587429.0000000001340000.00000004.08000000.00040000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003421000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: y1X5s1Oz0Q.exe, 00000000.00000002.2083587429.0000000001340000.00000004.08000000.00040000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003421000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_004269D4 FindFirstFileExW,GetLastError, 4_2_004269D4
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_005D04A0 FindFirstFileW,GetLastError, 4_2_005D04A0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_063C3E50
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_063C3E4A
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4x nop then jmp 063DF8BFh 0_2_063DF860
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4x nop then jmp 063DF8BFh 0_2_063DF851
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4x nop then jmp 063E17A4h 0_2_063E17AE
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4x nop then jmp 063E00C2h 0_2_063E0006
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4x nop then jmp 063E00C2h 0_2_063E0040
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_0646DE10
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 9_2_068A23E8
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 9_2_068A23F0
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 4x nop then jmp 0692F8BFh 9_2_0692F851
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 4x nop then jmp 0692F8BFh 9_2_0692F860
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 4x nop then jmp 069317A4h 9_2_069317AE
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 4x nop then jmp 069300C2h 9_2_06930006
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 4x nop then jmp 069300C2h 9_2_06930040
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 9_2_069BDE10

Networking
barindex
Yara detected MSILDownloaderGeneric
Source: Yara match File source: Process Memory Space: y1X5s1Oz0Q.exe PID: 416, type: MEMORYSTR
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 103.153.182.247
Yara detected Generic Downloader
Source: Yara match File source: y1X5s1Oz0Q.exe, type: SAMPLE
Source: Yara match File source: 0.2.y1X5s1Oz0Q.exe.2ef3a74.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.y1X5s1Oz0Q.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2083733249.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2708070838.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2083733249.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: y1X5s1Oz0Q.exe PID: 416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ujqqnhnbwgz.exe PID: 3064, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49735 -> 103.153.182.247:6161
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /attachments/1217028370865455188/1222062384437526538/Fdliipctaw.mp3?ex=6614d949&is=66026449&hm=76c14076f197408a74d02bd5e16b3cfd0651a02372cd195e0f28026e0e131609& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/1217028370865455188/1222062384437526538/Fdliipctaw.mp3?ex=6614d949&is=66026449&hm=76c14076f197408a74d02bd5e16b3cfd0651a02372cd195e0f28026e0e131609& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.133.233 162.159.133.233
Source: Joe Sandbox View IP Address: 162.159.133.233 162.159.133.233
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TWIDC-AS-APTWIDCLimitedHK TWIDC-AS-APTWIDCLimitedHK
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.153.182.247
Source: global traffic HTTP traffic detected: GET /attachments/1217028370865455188/1222062384437526538/Fdliipctaw.mp3?ex=6614d949&is=66026449&hm=76c14076f197408a74d02bd5e16b3cfd0651a02372cd195e0f28026e0e131609& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/1217028370865455188/1222062384437526538/Fdliipctaw.mp3?ex=6614d949&is=66026449&hm=76c14076f197408a74d02bd5e16b3cfd0651a02372cd195e0f28026e0e131609& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2083733249.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003261000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2083733249.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003261000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com
Source: y1X5s1Oz0Q.exe, Ujqqnhnbwgz.exe.0.dr String found in binary or memory: https://cdn.discordapp.com/attachments/1217028370865455188/1222062384437526538/Fdliipctaw.mp3?ex=661
Source: y1X5s1Oz0Q.exe, y1X5s1Oz0Q.exe, 00000004.00000002.4217248741.0000000000618000.00000040.00000400.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2751536854.0000000007323000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 0000000B.00000002.2828062498.00000000008E0000.00000002.00000400.00020000.00000000.sdmp String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2083587429.0000000001340000.00000004.08000000.00040000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003421000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2083587429.0000000001340000.00000004.08000000.00040000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003421000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2083587429.0000000001340000.00000004.08000000.00040000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003421000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2083587429.0000000001340000.00000004.08000000.00040000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003421000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003421000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2083587429.0000000001340000.00000004.08000000.00040000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.0000000004261000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.4:49743 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_004CCA85 SetWindowsHookExW 0000000D,Function_000278CC,00000000,00000000 4_2_004CCA85
Installs a global mouse hook
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Windows user hook set: 0 mouse low level NULL Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.Ujqqnhnbwgz.exe.74edf58.11.unpack, type: UNPACKEDPE Matched rule: Detects BitRAT RAT Author: ditekSHen
Source: 11.2.Ujqqnhnbwgz.exe.600000.0.unpack, type: UNPACKEDPE Matched rule: Detects BitRAT RAT Author: ditekSHen
Source: 9.2.Ujqqnhnbwgz.exe.74edf58.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects BitRAT RAT Author: ditekSHen
Source: Process Memory Space: y1X5s1Oz0Q.exe PID: 5328, type: MEMORYSTR Matched rule: Windows_Trojan_Bitrat_34bd6c83 Author: unknown
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0047DA23 GetModuleHandleA,GetProcAddress,GetCurrentThread,NtSetInformationThread, 4_2_0047DA23
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_005CF200: CreateFileW,DeviceIoControl,CloseHandle, 4_2_005CF200
Detected potential crypto function
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_00FA3670 0_2_00FA3670
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_00FA58D8 0_2_00FA58D8
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_00FA6CD4 0_2_00FA6CD4
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_00FA2C08 0_2_00FA2C08
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_00FA33B8 0_2_00FA33B8
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_00FA33A8 0_2_00FA33A8
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_00FA3660 0_2_00FA3660
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_00FA9D80 0_2_00FA9D80
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_00FA9D70 0_2_00FA9D70
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_062CC341 0_2_062CC341
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_062CC677 0_2_062CC677
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_062C8E68 0_2_062C8E68
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_062C0838 0_2_062C0838
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_062CD958 0_2_062CD958
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063C4AF3 0_2_063C4AF3
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063C4858 0_2_063C4858
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063C484A 0_2_063C484A
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063D0040 0_2_063D0040
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063DC898 0_2_063DC898
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063EA640 0_2_063EA640
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063EA630 0_2_063EA630
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063E857A 0_2_063E857A
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063E8588 0_2_063E8588
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063E1C18 0_2_063E1C18
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063E1C08 0_2_063E1C08
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063EAA21 0_2_063EAA21
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_06460040 0_2_06460040
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_06460006 0_2_06460006
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_066EE9B0 0_2_066EE9B0
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_066D0040 0_2_066D0040
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_066D0017 0_2_066D0017
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0042711E 4_2_0042711E
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00405293 4_2_00405293
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_004113C3 4_2_004113C3
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0042D936 4_2_0042D936
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0040EA72 4_2_0040EA72
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00431A1E 4_2_00431A1E
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0042AE39 4_2_0042AE39
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0042CF4C 4_2_0042CF4C
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_004FA652 4_2_004FA652
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_004F6CF7 4_2_004F6CF7
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00634020 4_2_00634020
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00693097 4_2_00693097
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_006B126E 4_2_006B126E
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0063C2F0 4_2_0063C2F0
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_006733A0 4_2_006733A0
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0061E460 4_2_0061E460
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0068C54E 4_2_0068C54E
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_006A76E9 4_2_006A76E9
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_006A27B5 4_2_006A27B5
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00677802 4_2_00677802
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0063B8C0 4_2_0063B8C0
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_006248D0 4_2_006248D0
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_006929DC 4_2_006929DC
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0061AAF0 4_2_0061AAF0
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00621A90 4_2_00621A90
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0069AB48 4_2_0069AB48
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00699BD0 4_2_00699BD0
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00692C0B 4_2_00692C0B
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0068DCD0 4_2_0068DCD0
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00621E70 4_2_00621E70
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00692E3A 4_2_00692E3A
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00624F30 4_2_00624F30
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0056E0FC 4_2_0056E0FC
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0057B0A0 4_2_0057B0A0
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0056F2EF 4_2_0056F2EF
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_005802A0 4_2_005802A0
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0056C3BC 4_2_0056C3BC
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0056B40F 4_2_0056B40F
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_005D9400 4_2_005D9400
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_005A85D5 4_2_005A85D5
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0057059B 4_2_0057059B
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0056E65F 4_2_0056E65F
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_005C181E 4_2_005C181E
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0057E8A0 4_2_0057E8A0
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0056F952 4_2_0056F952
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0056DB4C 4_2_0056DB4C
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00570B76 4_2_00570B76
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0056BBD0 4_2_0056BBD0
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0056ECC2 4_2_0056ECC2
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00580E10 4_2_00580E10
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0056FF7F 4_2_0056FF7F
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00584F3E 4_2_00584F3E
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_004CA0A7 4_2_004CA0A7
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0051E000 4_2_0051E000
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00521650 4_2_00521650
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_01783670 9_2_01783670
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_017858E5 9_2_017858E5
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_01782C08 9_2_01782C08
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_01786CD4 9_2_01786CD4
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_017833B8 9_2_017833B8
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_017833A8 9_2_017833A8
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_01783660 9_2_01783660
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_01789D70 9_2_01789D70
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_01789D80 9_2_01789D80
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_0681C341 9_2_0681C341
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_06810369 9_2_06810369
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_0681C677 9_2_0681C677
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_06818E68 9_2_06818E68
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_06810838 9_2_06810838
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_0681D958 9_2_0681D958
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_068A32B4 9_2_068A32B4
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_068A3013 9_2_068A3013
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_068A3020 9_2_068A3020
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_06920040 9_2_06920040
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_0692C898 9_2_0692C898
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_06939828 9_2_06939828
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_06931C18 9_2_06931C18
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_06939C09 9_2_06939C09
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_06931C08 9_2_06931C08
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_0693981B 9_2_0693981B
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_069B0007 9_2_069B0007
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_069B0040 9_2_069B0040
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_06C3E9B0 9_2_06C3E9B0
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_06C20040 9_2_06C20040
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Code function: 9_2_06C2003F 9_2_06C2003F
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: String function: 0068AAD0 appears 144 times
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: String function: 00411DDD appears 168 times
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: String function: 0068A4E0 appears 61 times
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: String function: 0068B440 appears 53 times
One or more processes crash
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 200
Sample file is different than original file name gathered from version info
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2083733249.0000000002CFA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs y1X5s1Oz0Q.exe
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2090177642.0000000005CD0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameVbnhtlkdfw.exe" vs y1X5s1Oz0Q.exe
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2083733249.0000000002E87000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs y1X5s1Oz0Q.exe
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2083733249.0000000002E87000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameVbnhtlkdfw.exe" vs y1X5s1Oz0Q.exe
Source: y1X5s1Oz0Q.exe, 00000000.00000000.1750961553.0000000000978000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVbnhtlkdfw.exe" vs y1X5s1Oz0Q.exe
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2083587429.0000000001340000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs y1X5s1Oz0Q.exe
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2083324380.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs y1X5s1Oz0Q.exe
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2093679696.0000000006300000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs y1X5s1Oz0Q.exe
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2090473348.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameVlronqjfbjw.dll" vs y1X5s1Oz0Q.exe
Source: y1X5s1Oz0Q.exe Binary or memory string: OriginalFilenameVbnhtlkdfw.exe" vs y1X5s1Oz0Q.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: quartz.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: qcap.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: msdmo.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: quartz.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: qcap.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: quartz.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: qcap.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: quartz.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: qcap.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: quartz.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: qcap.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: quartz.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: qcap.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: quartz.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: qcap.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinui.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.appdefaults.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: directmanipulation.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinui.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.appdefaults.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: directmanipulation.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Section loaded: userenv.dll Jump to behavior
Uses 32bit PE files
Source: y1X5s1Oz0Q.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 9.2.Ujqqnhnbwgz.exe.74edf58.11.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BitRAT author = ditekSHen, description = Detects BitRAT RAT, clamav_sig = MALWARE.Win.Trojan.BitRAT
Source: 11.2.Ujqqnhnbwgz.exe.600000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BitRAT author = ditekSHen, description = Detects BitRAT RAT, clamav_sig = MALWARE.Win.Trojan.BitRAT
Source: 9.2.Ujqqnhnbwgz.exe.74edf58.11.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BitRAT author = ditekSHen, description = Detects BitRAT RAT, clamav_sig = MALWARE.Win.Trojan.BitRAT
Source: Process Memory Space: y1X5s1Oz0Q.exe PID: 5328, type: MEMORYSTR Matched rule: Windows_Trojan_Bitrat_34bd6c83 reference_sample = 37f70ae0e4e671c739d402c00f708761e98b155a1eefbedff1236637c4b7690a, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Bitrat, fingerprint = bc4a5fad1810ad971277a455030eed3377901a33068bb994e235346cfe5a524f, id = 34bd6c83-9a71-43d5-b0b1-1646a8fb66e8, last_modified = 2021-08-23
Source: 0.2.y1X5s1Oz0Q.exe.6300000.7.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.y1X5s1Oz0Q.exe.6300000.7.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.y1X5s1Oz0Q.exe.6300000.7.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.y1X5s1Oz0Q.exe.6300000.7.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.y1X5s1Oz0Q.exe.42acf20.4.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.y1X5s1Oz0Q.exe.42acf20.4.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.y1X5s1Oz0Q.exe.6300000.7.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.y1X5s1Oz0Q.exe.425cf00.5.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.y1X5s1Oz0Q.exe.425cf00.5.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.y1X5s1Oz0Q.exe.425cf00.5.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.y1X5s1Oz0Q.exe.42acf20.4.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.y1X5s1Oz0Q.exe.425cf00.5.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.y1X5s1Oz0Q.exe.6300000.7.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.y1X5s1Oz0Q.exe.42acf20.4.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.y1X5s1Oz0Q.exe.6300000.7.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.y1X5s1Oz0Q.exe.6300000.7.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.y1X5s1Oz0Q.exe.425cf00.5.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.y1X5s1Oz0Q.exe.6300000.7.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.y1X5s1Oz0Q.exe.425cf00.5.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.y1X5s1Oz0Q.exe.42acf20.4.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.y1X5s1Oz0Q.exe.42acf20.4.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.y1X5s1Oz0Q.exe.42acf20.4.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.y1X5s1Oz0Q.exe.6300000.7.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.y1X5s1Oz0Q.exe.42acf20.4.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@11/10@1/2
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_005AA8FF GetLastError,___swprintf_l,FormatMessageA,___swprintf_l,___swprintf_l,GetLastError,SetLastError, 4_2_005AA8FF
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0047E75C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle, 4_2_0047E75C
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00459B80 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle, 4_2_00459B80
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00422D5E GetLastError,LoadResource,LockResource,SizeofResource, 4_2_00422D5E
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ujqqnhnbwgz.vbs Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Mutant created: NULL
Source: C:\Windows\System32\OpenWith.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1888:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3176
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Mutant created: \Sessions\1\BaseNamedObjects\46e2e8c7a15a0ac0b917b587c631ad69
Source: C:\Windows\System32\OpenWith.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e7654fe9-4319-4aab-ad29-763f09bca001
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ujqqnhnbwgz.vbs"
Source: y1X5s1Oz0Q.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: y1X5s1Oz0Q.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\System32\OpenWith.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: y1X5s1Oz0Q.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe File read: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\y1X5s1Oz0Q.exe "C:\Users\user\Desktop\y1X5s1Oz0Q.exe"
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process created: C:\Users\user\Desktop\y1X5s1Oz0Q.exe "C:\Users\user\Desktop\y1X5s1Oz0Q.exe"
Source: unknown Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ujqqnhnbwgz.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe "C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe"
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process created: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe "C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe"
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 200
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process created: C:\Users\user\Desktop\y1X5s1Oz0Q.exe "C:\Users\user\Desktop\y1X5s1Oz0Q.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe "C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process created: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe "C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe" Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: y1X5s1Oz0Q.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: y1X5s1Oz0Q.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: y1X5s1Oz0Q.exe, 00000000.00000002.2083733249.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, y1X5s1Oz0Q.exe, 00000000.00000002.2093679696.0000000006300000.00000004.08000000.00040000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003521000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: y1X5s1Oz0Q.exe, 00000000.00000002.2083733249.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, y1X5s1Oz0Q.exe, 00000000.00000002.2093679696.0000000006300000.00000004.08000000.00040000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003521000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: y1X5s1Oz0Q.exe, 00000000.00000002.2083587429.0000000001340000.00000004.08000000.00040000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003421000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: y1X5s1Oz0Q.exe, 00000000.00000002.2083587429.0000000001340000.00000004.08000000.00040000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003421000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: y1X5s1Oz0Q.exe, BaseRequestPage.cs .Net Code: SortSingleton System.Reflection.Assembly.Load(byte[])
Source: Ujqqnhnbwgz.exe.0.dr, BaseRequestPage.cs .Net Code: SortSingleton System.Reflection.Assembly.Load(byte[])
Source: 0.2.y1X5s1Oz0Q.exe.2ef3a74.2.raw.unpack, BaseRequestPage.cs .Net Code: SortSingleton System.Reflection.Assembly.Load(byte[])
Source: 0.2.y1X5s1Oz0Q.exe.6300000.7.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.y1X5s1Oz0Q.exe.6300000.7.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.y1X5s1Oz0Q.exe.6300000.7.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.y1X5s1Oz0Q.exe.42acf20.4.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.y1X5s1Oz0Q.exe.42acf20.4.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.y1X5s1Oz0Q.exe.42acf20.4.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.y1X5s1Oz0Q.exe.425cf00.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.y1X5s1Oz0Q.exe.425cf00.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.y1X5s1Oz0Q.exe.425cf00.5.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.y1X5s1Oz0Q.exe.1340000.0.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.y1X5s1Oz0Q.exe.1340000.0.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.y1X5s1Oz0Q.exe.1340000.0.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.y1X5s1Oz0Q.exe.1340000.0.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.y1X5s1Oz0Q.exe.1340000.0.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Yara detected Costura Assembly Loader
Source: Yara match File source: 9.2.Ujqqnhnbwgz.exe.3551a0c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Ujqqnhnbwgz.exe.51dcbf0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Ujqqnhnbwgz.exe.44995b0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y1X5s1Oz0Q.exe.76f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Ujqqnhnbwgz.exe.47195d0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2083733249.0000000002E42000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2083733249.0000000002CFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2708070838.00000000033BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2714497732.0000000004422000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2083733249.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2708070838.0000000003584000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2094381297.00000000076F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2714497732.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2714497732.0000000004719000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: y1X5s1Oz0Q.exe PID: 416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ujqqnhnbwgz.exe PID: 3064, type: MEMORYSTR
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0047E7DD LoadLibraryA,GetProcAddress, 4_2_0047E7DD
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_00FA05E7 push eax; retn 0070h 0_2_00FA05F2
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_00FA05D7 push eax; retn 0070h 0_2_00FA05E2
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_00FA0597 push eax; retn 0070h 0_2_00FA05D2
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_00FAD94B pushad ; ret 0_2_00FAD955
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_00FADBBE push edi; ret 0_2_00FADB91
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_00FADB28 push ecx; ret 0_2_00FADB29
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_00FAAB22 pushad ; retf 0_2_00FAAB23
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_00FADCC0 push ebx; iretd 0_2_00FADCC1
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063C0758 push 683C158Bh; retf 0_2_063C0760
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063C1241 pushfd ; retf 0_2_063C1242
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063C4AC2 pushfd ; retf 0_2_063C4AC3
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063C08FF pushfd ; retf 0_2_063C090C
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063C50E4 pushfd ; retf 0_2_063C50E5
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063D9E1F push es; ret 0_2_063D9F00
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063DFC0D pushfd ; retf 0_2_063DFC0E
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063DFBBC pushfd ; retf 0_2_063DFBBD
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063DFB81 pushfd ; retf 0_2_063DFB82
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063E9606 pushfd ; retf 0_2_063E960A
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063E966B pushfd ; retf 0_2_063E967A
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063ED6BA push es; iretd 0_2_063ED6F8
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063E473A pushfd ; retf 0_2_063E473B
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063E170F pushfd ; retf 0_2_063E1710
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063E477E pushfd ; retf 0_2_063E477F
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063E47B6 pushfd ; retf 0_2_063E47B7
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063E3431 pushfd ; retf 0_2_063E3432
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063E9426 pushfd ; retf 0_2_063E9430
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063E44B9 pushfd ; retf 0_2_063E44C0
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063E9558 pushfd ; retf 0_2_063E9569
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063E0253 pushfd ; retf 0_2_063E0254
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063E4394 pushfd ; retf 0_2_063E4395
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 0_2_063EB001 push es; ret 0_2_063EB010
Drops PE files
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe File created: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ujqqnhnbwgz.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ujqqnhnbwgz.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ujqqnhnbwgz.vbs Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Install name Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Install name Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Creates files in alternative data streams (ADS)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe File created: C:\Users\user\AppData\Local:26-03-2024 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00584F3E GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_00584F3E
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: y1X5s1Oz0Q.exe PID: 416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ujqqnhnbwgz.exe PID: 3064, type: MEMORYSTR
Opens the same file many times (likely Sandbox evasion)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe File opened: \Device\RasAcd count: 398437 Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2083733249.0000000002E42000.00000004.00000800.00020000.00000000.sdmp, y1X5s1Oz0Q.exe, 00000000.00000002.2083733249.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.00000000033BF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Memory allocated: FA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Memory allocated: 2CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Memory allocated: 1300000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Memory allocated: 66F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Memory allocated: 6490000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Memory allocated: 8470000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Memory allocated: 7910000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Memory allocated: 1730000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Memory allocated: 3260000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Memory allocated: 3190000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Memory allocated: 6C40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Memory allocated: 69E0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Window / User API: threadDelayed 1826 Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Window / User API: threadDelayed 4916 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe API coverage: 8.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe TID: 3756 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe TID: 2652 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe TID: 3372 Thread sleep time: -4916000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe TID: 5424 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe TID: 3372 Thread sleep time: -179000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe TID: 2708 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe TID: 5928 Thread sleep time: -30000s >= -30000s Jump to behavior
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Thread sleep count: Count: 1826 delay: -10 Jump to behavior
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_004CA8CC GetKeyboardLayout followed by cmp: cmp ecx, 00000416h and CTI: je 004CAF76h 4_2_004CA8CC
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_004CA8CC GetKeyboardLayout followed by cmp: cmp ecx, 00000816h and CTI: jne 004CAF86h 4_2_004CA8CC
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_004269D4 FindFirstFileExW,GetLastError, 4_2_004269D4
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_005D04A0 FindFirstFileW,GetLastError, 4_2_005D04A0
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0044DE59 GetModuleHandleA,GetProcAddress,GetSystemInfo,GetProductInfo, 4_2_0044DE59
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.00000000042E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: sBeufeIRjJPeKqeMuEQE.exe0
Source: Ujqqnhnbwgz.exe, 00000009.00000002.2714497732.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2781291435.0000000007E60000.00000004.00000020.00020000.00000000.sdmp, Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: sBeufeIRjJPeKqeMuEQE.exe
Source: wscript.exe, 00000008.00000002.2368151082.000002133CD45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: OpenWith.exe, 00000007.00000002.2323238098.000001FE6CCB7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: }\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f
Source: Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.00000000033BF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: sBeufeIRjJPeKqeMuEQE0$Q
Source: Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.00000000033BF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: Ujqqnhnbwgz.exe, 00000009.00000002.2705916678.0000000001568000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: Ujqqnhnbwgz.exe, 00000009.00000002.2708070838.0000000003584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: sBeufeIRjJPeKqeMuEQE
Source: wscript.exe, 00000008.00000002.2368151082.000002133CD45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~
Source: y1X5s1Oz0Q.exe, 00000000.00000002.2083324380.0000000001038000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: y1X5s1Oz0Q.exe, 00000004.00000002.4225803363.000000000149A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0047DA23 NtSetInformationThread ?,00000011,00000000,00000000,?,?,00000000,00000000 4_2_0047DA23
Hides threads from debuggers
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0068B5B1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0068B5B1
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0047E7DD LoadLibraryA,GetProcAddress, 4_2_0047E7DD
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_006A482C mov eax, dword ptr fs:[00000030h] 4_2_006A482C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0040F6F5 GetProcessHeap, 4_2_0040F6F5
Enables debug privileges
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0068B5B1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0068B5B1
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0068A7EA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0068A7EA
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00694A7C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00694A7C
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0047DDD3 CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree, 4_2_0047DDD3
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Memory written: C:\Users\user\Desktop\y1X5s1Oz0Q.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Memory written: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe base: 600000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Process created: C:\Users\user\Desktop\y1X5s1Oz0Q.exe "C:\Users\user\Desktop\y1X5s1Oz0Q.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe "C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Process created: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe "C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0040EA72 cpuid 4_2_0040EA72
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: EnumSystemLocalesW, 4_2_006AB108
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: EnumSystemLocalesW, 4_2_006B4238
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: EnumSystemLocalesW, 4_2_006B4283
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: EnumSystemLocalesW, 4_2_006B431E
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: GetLocaleInfoW, 4_2_006B45FB
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: GetLocaleInfoW, 4_2_006AB6A7
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_006B4724
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: GetLocaleInfoW, 4_2_006B482B
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_006B48F8
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 4_2_006B3FC0
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: GetLocaleInfoW, 4_2_005968B4
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: ___crtGetLocaleInfoEx, 4_2_005969B6
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Queries volume information: C:\Users\user\Desktop\y1X5s1Oz0Q.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Queries volume information: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ujqqnhnbwgz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0041369B GetSystemTimes,GetCurrentProcess,GetProcessTimes,GetTickCount64, 4_2_0041369B
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_0068039F GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8, 4_2_0068039F
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected BitRAT
Source: Yara match File source: 0.2.y1X5s1Oz0Q.exe.42acf20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Ujqqnhnbwgz.exe.74edf58.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Ujqqnhnbwgz.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y1X5s1Oz0Q.exe.425cf00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Ujqqnhnbwgz.exe.74edf58.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2095919147.0000000008471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2820847538.0000000000601000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2084374301.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2751536854.0000000007323000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: y1X5s1Oz0Q.exe PID: 416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: y1X5s1Oz0Q.exe PID: 5328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ujqqnhnbwgz.exe PID: 3064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ujqqnhnbwgz.exe PID: 3176, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.y1X5s1Oz0Q.exe.5dd0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y1X5s1Oz0Q.exe.5dd0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2090473348.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected BitRAT
Source: Yara match File source: 0.2.y1X5s1Oz0Q.exe.42acf20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Ujqqnhnbwgz.exe.74edf58.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Ujqqnhnbwgz.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y1X5s1Oz0Q.exe.425cf00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Ujqqnhnbwgz.exe.74edf58.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2095919147.0000000008471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2820847538.0000000000601000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2084374301.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2751536854.0000000007323000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: y1X5s1Oz0Q.exe PID: 416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: y1X5s1Oz0Q.exe PID: 5328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ujqqnhnbwgz.exe PID: 3064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ujqqnhnbwgz.exe PID: 3176, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.y1X5s1Oz0Q.exe.5dd0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y1X5s1Oz0Q.exe.5dd0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2090473348.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_00683398 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext, 4_2_00683398
Source: C:\Users\user\Desktop\y1X5s1Oz0Q.exe Code function: 4_2_006826C2 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 4_2_006826C2
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1416002 Sample: y1X5s1Oz0Q.exe Startdate: 26/03/2024 Architecture: WINDOWS Score: 100 37 cdn.discordapp.com 2->37 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 12 other signatures 2->49 9 y1X5s1Oz0Q.exe 15 6 2->9         started        14 wscript.exe 1 2->14         started        16 OpenWith.exe 18 6 2->16         started        18 OpenWith.exe 6 2->18         started        signatures3 process4 dnsIp5 41 cdn.discordapp.com 162.159.133.233, 443, 49729, 49743 CLOUDFLARENETUS United States 9->41 33 C:\Users\user\AppData\...\Ujqqnhnbwgz.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\...\Ujqqnhnbwgz.vbs, ASCII 9->35 dropped 65 Drops VBS files to the startup folder 9->65 67 Contains functionality to inject code into remote processes 9->67 69 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->69 73 3 other signatures 9->73 20 y1X5s1Oz0Q.exe 2 2 9->20         started        71 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->71 25 Ujqqnhnbwgz.exe 14 3 14->25         started        file6 signatures7 process8 dnsIp9 39 103.153.182.247, 6161 TWIDC-AS-APTWIDCLimitedHK unknown 20->39 31 C:\Users\user\AppData\Local:26-03-2024, HTML 20->31 dropped 51 Creates files in alternative data streams (ADS) 20->51 53 Opens the same file many times (likely Sandbox evasion) 20->53 55 Hides threads from debuggers 20->55 57 Antivirus detection for dropped file 25->57 59 Multi AV Scanner detection for dropped file 25->59 61 Machine Learning detection for dropped file 25->61 63 Injects a PE file into a foreign processes 25->63 27 Ujqqnhnbwgz.exe 25->27         started        file10 signatures11 process12 process13 29 WerFault.exe 27->29         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.153.182.247
 unknown unknown
134687 TWIDC-AS-APTWIDCLimitedHK true
162.159.133.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
cdn.discordapp.com 162.159.133.233 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cdn.discordapp.com/attachments/1217028370865455188/1222062384437526538/Fdliipctaw.mp3?ex=6614d949&is=66026449&hm=76c14076f197408a74d02bd5e16b3cfd0651a02372cd195e0f28026e0e131609& false
    		high