Windows Analysis Report qZJOfO5jjs.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: qZJOfO5jjs.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: \CallBack\x64\Release\CallBack.pdb source: qZJOfO5jjs.exe
Source:	Binary string: C:\Users\Administrator.PC-20170413SJJU\Desktop\XAntiDebug\Release\test.cpp.pdb source: qZJOfO5jjs.exe, qZJOfO5jjs.exe, 00000000.00000002.3216373894.0000000000D10000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\code\android\donut\development\host\windows\usb\api\objfre_wxp_x86\i386\AdbWinApi.pdb source: qZJOfO5jjs.exe
Source:	Binary string: c:\code\android\donut\development\host\windows\usb\api\objfre_wxp_x86\i386\AdbWinApi.pdb(PA source: qZJOfO5jjs.exe

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 4x nop then mov eax, dword ptr [esi]		0_2_0040C2CB
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 4x nop then mov eax, dword ptr [esi]		0_2_0040C2CC

Source: qZJOfO5jjs.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://dywt.com.cn
Source: qZJOfO5jjs.exe	String found in binary or memory: http://dywt.com.cnservice
Source: qZJOfO5jjs.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: qZJOfO5jjs.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: qZJOfO5jjs.exe	String found in binary or memory: http://ocsp.digicert.com0L
Source: qZJOfO5jjs.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: qZJOfO5jjs.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: qZJOfO5jjs.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: qZJOfO5jjs.exe	String found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
Source: qZJOfO5jjs.exe	String found in binary or memory: https://www.digicert.com/CPS0

Contains functionality to call native functions

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02516210 IsWindowEnabled,SendMessageA,SendMessageA,SendMessageA,IsZoomed,SendMessageA,NtdllDefWindowProc_A,	0_2_02516210
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02517A30 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_02517A30
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02522AD0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_02522AD0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251DA90 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_0251DA90
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_025162B0 IsWindowEnabled,SendMessageA,NtdllDefWindowProc_A,	0_2_025162B0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02516350 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_02516350
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02519340 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,CallWindowProcA,GetCursorPos,GetWindowRect,PtInRect,CallWindowProcA,	0_2_02519340
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02530B70 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_02530B70
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02531370 GetPropA,NtdllDefWindowProc_A,IsWindowVisible,ShowWindow,NtdllDefWindowProc_A,NtdllDefWindowProc_A,SendMessageA,	0_2_02531370
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02518310 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,	0_2_02518310
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251D330 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_0251D330
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0252D330 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_0252D330
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02514BD0 NtdllDefWindowProc_A,	0_2_02514BD0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251CBC0 GetPropA,NtdllDefWindowProc_A,	0_2_0251CBC0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251C3F0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,CallWindowProcA,GetCursorPos,GetWindowRect,PtInRect,CallWindowProcA,	0_2_0251C3F0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02522BF0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_02522BF0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02516010 IsWindowEnabled,SendMessageA,SendMessageA,GetWindowRect,IsRectEmpty,PtInRect,PtInRect,GetSystemMenu,GetMenuState,SendMessageA,NtdllDefWindowProc_A,PtInRect,IsIconic,PtInRect,IsZoomed,PtInRect,PtInRect,GetWindowRect,	0_2_02516010
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0252C800 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_0252C800
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_025148E0 NtdllDefWindowProc_A,	0_2_025148E0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0252D8E0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,	0_2_0252D8E0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_025198B0 GetPropA,NtdllDefWindowProc_A,KillTimer,IsWindowVisible,IsIconic,SetTimer,	0_2_025198B0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02515940 GetCursorPos,GetWindowRect,PtInRect,PtInRect,PtInRect,PtInRect,PtInRect,KillTimer,NtdllDefWindowProc_A,	0_2_02515940
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02515900 IsWindowEnabled,EnableWindow,NtdllDefWindowProc_A,	0_2_02515900
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02512E40 NtdllDefWindowProc_A,	0_2_02512E40
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02521630 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,CallWindowProcA,	0_2_02521630
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02524EA0 GetPropA,NtdllDefWindowProc_A,	0_2_02524EA0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0252FEA0 GetPropA,NtdllDefWindowProc_A,InvalidateRect,CallWindowProcA,	0_2_0252FEA0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251F750 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_0251F750
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02518710 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,GetParent,	0_2_02518710
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0252E7F0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_0252E7F0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02524790 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_02524790
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251E440 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_0251E440
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02518CB0 GetPropA,NtdllDefWindowProc_A,	0_2_02518CB0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_025314B0 GetPropA,NtdllDefWindowProc_A,	0_2_025314B0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251FD50 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_0251FD50
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0252FD50 GetPropA,GetPropA,NtdllDefWindowProc_A,FindWindowExA,GetPropA,GetWindowRect,	0_2_0252FD50
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02518D40 GetPropA,RemovePropA,CallWindowProcA,NtdllDefWindowProc_A,	0_2_02518D40
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02516560 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_02516560
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02514510 NtdllDefWindowProc_A,	0_2_02514510
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02523DA0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_02523DA0

Deletes files inside the Windows folder

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

File deleted: C:\Windows\System32\drivers\etc\hosts

Detected potential crypto function

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00406C34	0_2_00406C34
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_004090A5	0_2_004090A5
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0040C4BB	0_2_0040C4BB
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0040C2CB	0_2_0040C2CB
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0040C2CC	0_2_0040C2CC
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02512250	0_2_02512250
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02527BA0	0_2_02527BA0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02513970	0_2_02513970
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02538E7A	0_2_02538E7A
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251B6E0	0_2_0251B6E0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02538D56	0_2_02538D56
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02527540	0_2_02527540
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251EDA0	0_2_0251EDA0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D34510	0_2_00D34510
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D1B8D2	0_2_00D1B8D2
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D1D0B1	0_2_00D1D0B1
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D1D9CD	0_2_00D1D9CD
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D1A1E2	0_2_00D1A1E2
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D13930	0_2_00D13930
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D116D0	0_2_00D116D0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D1BE44	0_2_00D1BE44
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D21272	0_2_00D21272
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D14270	0_2_00D14270
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D1B360	0_2_00D1B360
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D13F33	0_2_00D13F33

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: String function: 025360E2 appears 34 times

Sample file is different than original file name gathered from version info

Source: qZJOfO5jjs.exe, 00000000.00000000.1968226783.00000000004FE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSkinH_EL.dll vs qZJOfO5jjs.exe
Source: qZJOfO5jjs.exe, 00000000.00000000.1968226783.00000000004FE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAdbWinApi.dll8 vs qZJOfO5jjs.exe
Source: qZJOfO5jjs.exe, 00000000.00000002.3216457097.0000000002548000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSkinH_EL.dll vs qZJOfO5jjs.exe
Source: qZJOfO5jjs.exe	Binary or memory string: OriginalFilenameSkinH_EL.dll vs qZJOfO5jjs.exe
Source: qZJOfO5jjs.exe	Binary or memory string: OriginalFilenameAdbWinApi.dll8 vs qZJOfO5jjs.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior

Source: qZJOfO5jjs.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: qZJOfO5jjs.exe	Binary string: H:\Device\HarddiskVolume6G:\Device\HarddiskVolume5F:\Device\HarddiskVolume4E:\Device\HarddiskVolume3D:\Device\HarddiskVolume2C:\Device\HarddiskVolume1\Device\VBScript.RegExpIgnoreCaseMultilineSinglelineGlobalPatternExecuteReplaceCountItemValueFirstIndexSubMatches
Source: qZJOfO5jjs.exe	Binary string: \Device\HarddiskVolume6
Source: qZJOfO5jjs.exe	Binary string: \Device\HarddiskVolume5
Source: qZJOfO5jjs.exe	Binary string: \Device\HarddiskVolume4
Source: qZJOfO5jjs.exe	Binary string: \Device\
Source: qZJOfO5jjs.exe	Binary string: \Device\HarddiskVolume3
Source: qZJOfO5jjs.exe	Binary string: \Device\HarddiskVolume2
Source: qZJOfO5jjs.exe	Binary string: \Device\HarddiskVolume1

Source: classification engine

Classification label: mal60.evad.winEXE@6/1@0/1

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_0252B8F0 GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,FreeLibrary,

0_2_0252B8F0

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

File created: C:\Users\user\Desktop\myd3d.dll

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_03

Source: qZJOfO5jjs.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: qZJOfO5jjs.exe

ReversingLabs: Detection: 56%

Source: qZJOfO5jjs.exe	String found in binary or memory: id-cmc-addExtensions
Source: qZJOfO5jjs.exe	String found in binary or memory: set-addPolicy
Source: qZJOfO5jjs.exe	String found in binary or memory: cat /sys/class/net/wlan0/address
Source: qZJOfO5jjs.exe	String found in binary or memory: 9com.android.adbkeyboard/.AdbIMEam broadcast -a ADB_INPUT_TEXT --es msg cat /proc/cpuinfogetprop dhcp.eth0.dns1getprop dhcp.eth0.dns2wm densityPHYSical density: getprop phone.imeigetprop phone.imsicat /sys/class/net/wlan0/addressgetprop dhcp.eth0.macgetprop phone.simserialsettings get secure android_idgetprop ro.build.version.releasedumpsys batterylevel: wm sizesize: getprop ro.phone.manufacturergetprop ro.phone.linenumgetprop ro.product.modelgetprop ro.runtime.firstbootgetprop dhcp.eth0.gatewaysetprop dhcp.eth0.dns1 DNS1
Source: qZJOfO5jjs.exe	String found in binary or memory: am force-stop
Source: qZJOfO5jjs.exe	String found in binary or memory: contentView=tickerText=mRankingTimeMs=/sdcard/Pictures/1.apkpm install -f Success-k pm uninstall dumpsys meminfo am force-stop pm hide unhide pm -f -d -e -s -3 -ipm list packagespackage: installer=am start -n pm clear pm path no process found foram start -a android.intent.action.VIEW -d com.qihoo.browser/org.chromium.chrome.browser.ChromeTabbedActivitycom.tencent.mtt.x86/.MainActivitycom.dolphin.browser.xf/mobi.mgeek.TunnyBrowser.MainActivitycom.oupeng.browser/com.opera.android.OperaMainActivitycom.mx.browser/.MxBrowserActivitycom.UCMobile/com.uc.browser.InnerUCMobilecom.baidu.searchbox/.MainActivity

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

File read: C:\Users\user\Desktop\qZJOfO5jjs.exe

Source: unknown	Process created: C:\Users\user\Desktop\qZJOfO5jjs.exe "C:\Users\user\Desktop\qZJOfO5jjs.exe"
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c netsh advfirewall firewall delete rule name="benshan"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="benshan"
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c netsh advfirewall firewall delete rule name="benshan"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="benshan"	Jump to behavior

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Window found: window name: SysTabControl32

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Window detected: Number of UI elements: 27

Source: qZJOfO5jjs.exe

Static file information: File size 3432448 > 1048576

Source: qZJOfO5jjs.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x221000

Source:	Binary string: \CallBack\x64\Release\CallBack.pdb source: qZJOfO5jjs.exe
Source:	Binary string: C:\Users\Administrator.PC-20170413SJJU\Desktop\XAntiDebug\Release\test.cpp.pdb source: qZJOfO5jjs.exe, qZJOfO5jjs.exe, 00000000.00000002.3216373894.0000000000D10000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\code\android\donut\development\host\windows\usb\api\objfre_wxp_x86\i386\AdbWinApi.pdb source: qZJOfO5jjs.exe
Source:	Binary string: c:\code\android\donut\development\host\windows\usb\api\objfre_wxp_x86\i386\AdbWinApi.pdb(PA source: qZJOfO5jjs.exe

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_004DBF50 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_004D2F38 push eax; ret	0_2_004D2F56
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_004D0B80 push eax; ret	0_2_004D0BAE
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02536100 push eax; ret	0_2_0253612E
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_025309F7 pushfd ; mov dword ptr [esp], edx	0_2_025309F9
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B0D1 push ebp; mov dword ptr [esp], edi	0_2_00D2B0DC
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B0D1 push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B0F7 push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B0FD push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B09E push ebp; mov dword ptr [esp], edi	0_2_00D2B0DC
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B09E push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B0B6 push dword ptr [esp+48h]; retn 004Ch	0_2_00D2B0A4
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B0B4 push dword ptr [esp+48h]; retn 004Ch	0_2_00D2B0A4
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D26040 push eax; ret	0_2_00D25FF1
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B04F push ebp; mov dword ptr [esp], edi	0_2_00D2B06B
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B04F push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B07C push dword ptr [esp+48h]; retn 004Ch	0_2_00D2B0A4
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2C017 push ebx; ret	0_2_00D2C023
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B43E push ebx; ret	0_2_00D2B43F
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B03D push ebp; mov dword ptr [esp], edi	0_2_00D2B0DC
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B03D push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D121F8 push eax; ret	0_2_00D2D3E6
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B1AC push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B155 push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B15E push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B17F push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B114 push eax; ret	0_2_00D2B2E0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B11E push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B132 push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B130 push dword ptr [esp+48h]; retn 004Ch	0_2_00D2B0A4
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D126CE push ebx; ret	0_2_00D126D2
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B2F3 push eax; ret	0_2_00D2B154

Drops PE files

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

File created: C:\Users\user\Desktop\myd3d.dll

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02533070 IsWindowVisible,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,IsRectEmpty,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsZoomed,IsRectEmpty,	0_2_02533070
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02533070 IsWindowVisible,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,IsRectEmpty,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsZoomed,IsRectEmpty,	0_2_02533070
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02516010 IsWindowEnabled,SendMessageA,SendMessageA,GetWindowRect,IsRectEmpty,PtInRect,PtInRect,GetSystemMenu,GetMenuState,SendMessageA,NtdllDefWindowProc_A,PtInRect,IsIconic,PtInRect,IsZoomed,PtInRect,PtInRect,GetWindowRect,	0_2_02516010
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02531800 IsZoomed,SendMessageA,IsIconic,SendMessageA,SendMessageA,GetSystemMenu,GetMenuState,SendMessageA,SendMessageA,KillTimer,GetMenuItemID,SendMessageA,CallWindowProcA,	0_2_02531800
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_025198B0 GetPropA,NtdllDefWindowProc_A,KillTimer,IsWindowVisible,IsIconic,SetTimer,	0_2_025198B0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02514E30 IsWindowVisible,GetWindowRect,CreateCompatibleDC,SelectObject,SelectObject,SetBkMode,SelectObject,SetTextColor,DrawIconEx,GetWindowTextA,DrawTextA,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,SelectObject,DeleteDC,CreateCompatibleDC,SelectObject,DeleteObject,	0_2_02514E30
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02535780 IsIconic,IsZoomed,IsRectEmpty,IsWindowVisible,	0_2_02535780

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_00D13F33 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00D13F33

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_00410D9F rdtsc

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\myd3d.dll

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

API coverage: 1.9 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_00D12000 GetModuleHandleA,GetProcAddress,GetSystemInfo,

0_2_00D12000

Source: qZJOfO5jjs.exe, 00000000.00000002.3216251659.000000000083E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Process information queried: ProcessInformation

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_00410D9F rdtsc

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_00D14645 _memset,IsDebuggerPresent,

0_2_00D14645

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_00D18F6A RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_00D18F6A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_004DBF50 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_0040B29D mov eax, dword ptr fs:[00000030h]

0_2_0040B29D

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_00D11C70 GetCurrentProcess,IsWow64Process,GetProcessHeap,

0_2_00D11C70

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_00D17A04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00D17A04

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c netsh advfirewall firewall delete rule name="benshan"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="benshan"			Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_0040541D cpuid

0_2_0040541D

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\netsh.exe

Queries volume information: C:\ VolumeInformation

Modifies the windows firewall

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_00D17541 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00D17541

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_004EB41A GetVersion,InitializeCriticalSection,

0_2_004EB41A

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c netsh advfirewall firewall delete rule name="benshan"

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="benshan"

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: cmd.exe /c

0_2_00401707

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

AV Detection

Multi AV Scanner detection for submitted file

Source: qZJOfO5jjs.exe

ReversingLabs: Detection: 56%

Machine Learning detection for sample

Source: qZJOfO5jjs.exe

Joe Sandbox ML: detected

Found inlined nop instructions (likely shell or obfuscated code)

Source: qZJOfO5jjs.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: \CallBack\x64\Release\CallBack.pdb source: qZJOfO5jjs.exe
Source:	Binary string: C:\Users\Administrator.PC-20170413SJJU\Desktop\XAntiDebug\Release\test.cpp.pdb source: qZJOfO5jjs.exe, qZJOfO5jjs.exe, 00000000.00000002.3216373894.0000000000D10000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\code\android\donut\development\host\windows\usb\api\objfre_wxp_x86\i386\AdbWinApi.pdb source: qZJOfO5jjs.exe
Source:	Binary string: c:\code\android\donut\development\host\windows\usb\api\objfre_wxp_x86\i386\AdbWinApi.pdb(PA source: qZJOfO5jjs.exe

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 4x nop then mov eax, dword ptr [esi]		0_2_0040C2CB
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 4x nop then mov eax, dword ptr [esi]		0_2_0040C2CC

Source: qZJOfO5jjs.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: qZJOfO5jjs.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://dywt.com.cn
Source: qZJOfO5jjs.exe	String found in binary or memory: http://dywt.com.cnservice
Source: qZJOfO5jjs.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: qZJOfO5jjs.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: qZJOfO5jjs.exe	String found in binary or memory: http://ocsp.digicert.com0L
Source: qZJOfO5jjs.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: qZJOfO5jjs.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: qZJOfO5jjs.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: qZJOfO5jjs.exe	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: qZJOfO5jjs.exe	String found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
Source: qZJOfO5jjs.exe	String found in binary or memory: https://www.digicert.com/CPS0

Contains functionality to call native functions

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02516210 IsWindowEnabled,SendMessageA,SendMessageA,SendMessageA,IsZoomed,SendMessageA,NtdllDefWindowProc_A,	0_2_02516210
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02517A30 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_02517A30
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02522AD0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_02522AD0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251DA90 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_0251DA90
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_025162B0 IsWindowEnabled,SendMessageA,NtdllDefWindowProc_A,	0_2_025162B0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02516350 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_02516350
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02519340 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,CallWindowProcA,GetCursorPos,GetWindowRect,PtInRect,CallWindowProcA,	0_2_02519340
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02530B70 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_02530B70
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02531370 GetPropA,NtdllDefWindowProc_A,IsWindowVisible,ShowWindow,NtdllDefWindowProc_A,NtdllDefWindowProc_A,SendMessageA,	0_2_02531370
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02518310 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,	0_2_02518310
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251D330 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_0251D330
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0252D330 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_0252D330
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02514BD0 NtdllDefWindowProc_A,	0_2_02514BD0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251CBC0 GetPropA,NtdllDefWindowProc_A,	0_2_0251CBC0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251C3F0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,CallWindowProcA,GetCursorPos,GetWindowRect,PtInRect,CallWindowProcA,	0_2_0251C3F0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02522BF0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_02522BF0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02516010 IsWindowEnabled,SendMessageA,SendMessageA,GetWindowRect,IsRectEmpty,PtInRect,PtInRect,GetSystemMenu,GetMenuState,SendMessageA,NtdllDefWindowProc_A,PtInRect,IsIconic,PtInRect,IsZoomed,PtInRect,PtInRect,GetWindowRect,	0_2_02516010
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0252C800 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_0252C800
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_025148E0 NtdllDefWindowProc_A,	0_2_025148E0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0252D8E0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,	0_2_0252D8E0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_025198B0 GetPropA,NtdllDefWindowProc_A,KillTimer,IsWindowVisible,IsIconic,SetTimer,	0_2_025198B0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02515940 GetCursorPos,GetWindowRect,PtInRect,PtInRect,PtInRect,PtInRect,PtInRect,KillTimer,NtdllDefWindowProc_A,	0_2_02515940
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02515900 IsWindowEnabled,EnableWindow,NtdllDefWindowProc_A,	0_2_02515900
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02512E40 NtdllDefWindowProc_A,	0_2_02512E40
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02521630 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,CallWindowProcA,	0_2_02521630
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02524EA0 GetPropA,NtdllDefWindowProc_A,	0_2_02524EA0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0252FEA0 GetPropA,NtdllDefWindowProc_A,InvalidateRect,CallWindowProcA,	0_2_0252FEA0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251F750 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_0251F750
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02518710 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,GetParent,	0_2_02518710
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0252E7F0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_0252E7F0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02524790 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_02524790
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251E440 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_0251E440
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02518CB0 GetPropA,NtdllDefWindowProc_A,	0_2_02518CB0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_025314B0 GetPropA,NtdllDefWindowProc_A,	0_2_025314B0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251FD50 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_0251FD50
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0252FD50 GetPropA,GetPropA,NtdllDefWindowProc_A,FindWindowExA,GetPropA,GetWindowRect,	0_2_0252FD50
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02518D40 GetPropA,RemovePropA,CallWindowProcA,NtdllDefWindowProc_A,	0_2_02518D40
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02516560 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_02516560
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02514510 NtdllDefWindowProc_A,	0_2_02514510
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02523DA0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_02523DA0

Deletes files inside the Windows folder

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

File deleted: C:\Windows\System32\drivers\etc\hosts

Detected potential crypto function

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00406C34	0_2_00406C34
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_004090A5	0_2_004090A5
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0040C4BB	0_2_0040C4BB
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0040C2CB	0_2_0040C2CB
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0040C2CC	0_2_0040C2CC
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02512250	0_2_02512250
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02527BA0	0_2_02527BA0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02513970	0_2_02513970
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02538E7A	0_2_02538E7A
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251B6E0	0_2_0251B6E0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02538D56	0_2_02538D56
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02527540	0_2_02527540
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_0251EDA0	0_2_0251EDA0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D34510	0_2_00D34510
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D1B8D2	0_2_00D1B8D2
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D1D0B1	0_2_00D1D0B1
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D1D9CD	0_2_00D1D9CD
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D1A1E2	0_2_00D1A1E2
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D13930	0_2_00D13930
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D116D0	0_2_00D116D0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D1BE44	0_2_00D1BE44
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D21272	0_2_00D21272
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D14270	0_2_00D14270
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D1B360	0_2_00D1B360
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D13F33	0_2_00D13F33

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: String function: 025360E2 appears 34 times

Sample file is different than original file name gathered from version info

Source: qZJOfO5jjs.exe, 00000000.00000000.1968226783.00000000004FE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSkinH_EL.dll vs qZJOfO5jjs.exe
Source: qZJOfO5jjs.exe, 00000000.00000000.1968226783.00000000004FE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAdbWinApi.dll8 vs qZJOfO5jjs.exe
Source: qZJOfO5jjs.exe, 00000000.00000002.3216457097.0000000002548000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSkinH_EL.dll vs qZJOfO5jjs.exe
Source: qZJOfO5jjs.exe	Binary or memory string: OriginalFilenameSkinH_EL.dll vs qZJOfO5jjs.exe
Source: qZJOfO5jjs.exe	Binary or memory string: OriginalFilenameAdbWinApi.dll8 vs qZJOfO5jjs.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior

Source: qZJOfO5jjs.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: qZJOfO5jjs.exe	Binary string: H:\Device\HarddiskVolume6G:\Device\HarddiskVolume5F:\Device\HarddiskVolume4E:\Device\HarddiskVolume3D:\Device\HarddiskVolume2C:\Device\HarddiskVolume1\Device\VBScript.RegExpIgnoreCaseMultilineSinglelineGlobalPatternExecuteReplaceCountItemValueFirstIndexSubMatches
Source: qZJOfO5jjs.exe	Binary string: \Device\HarddiskVolume6
Source: qZJOfO5jjs.exe	Binary string: \Device\HarddiskVolume5
Source: qZJOfO5jjs.exe	Binary string: \Device\HarddiskVolume4
Source: qZJOfO5jjs.exe	Binary string: \Device\
Source: qZJOfO5jjs.exe	Binary string: \Device\HarddiskVolume3
Source: qZJOfO5jjs.exe	Binary string: \Device\HarddiskVolume2
Source: qZJOfO5jjs.exe	Binary string: \Device\HarddiskVolume1

Source: classification engine

Classification label: mal60.evad.winEXE@6/1@0/1

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_0252B8F0 GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,FreeLibrary,

0_2_0252B8F0

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

File created: C:\Users\user\Desktop\myd3d.dll

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_03

Source: qZJOfO5jjs.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: qZJOfO5jjs.exe

ReversingLabs: Detection: 56%

Source: qZJOfO5jjs.exe	String found in binary or memory: id-cmc-addExtensions
Source: qZJOfO5jjs.exe	String found in binary or memory: set-addPolicy
Source: qZJOfO5jjs.exe	String found in binary or memory: cat /sys/class/net/wlan0/address
Source: qZJOfO5jjs.exe	String found in binary or memory: 9com.android.adbkeyboard/.AdbIMEam broadcast -a ADB_INPUT_TEXT --es msg cat /proc/cpuinfogetprop dhcp.eth0.dns1getprop dhcp.eth0.dns2wm densityPHYSical density: getprop phone.imeigetprop phone.imsicat /sys/class/net/wlan0/addressgetprop dhcp.eth0.macgetprop phone.simserialsettings get secure android_idgetprop ro.build.version.releasedumpsys batterylevel: wm sizesize: getprop ro.phone.manufacturergetprop ro.phone.linenumgetprop ro.product.modelgetprop ro.runtime.firstbootgetprop dhcp.eth0.gatewaysetprop dhcp.eth0.dns1 DNS1
Source: qZJOfO5jjs.exe	String found in binary or memory: am force-stop
Source: qZJOfO5jjs.exe	String found in binary or memory: contentView=tickerText=mRankingTimeMs=/sdcard/Pictures/1.apkpm install -f Success-k pm uninstall dumpsys meminfo am force-stop pm hide unhide pm -f -d -e -s -3 -ipm list packagespackage: installer=am start -n pm clear pm path no process found foram start -a android.intent.action.VIEW -d com.qihoo.browser/org.chromium.chrome.browser.ChromeTabbedActivitycom.tencent.mtt.x86/.MainActivitycom.dolphin.browser.xf/mobi.mgeek.TunnyBrowser.MainActivitycom.oupeng.browser/com.opera.android.OperaMainActivitycom.mx.browser/.MxBrowserActivitycom.UCMobile/com.uc.browser.InnerUCMobilecom.baidu.searchbox/.MainActivity

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

File read: C:\Users\user\Desktop\qZJOfO5jjs.exe

Source: unknown	Process created: C:\Users\user\Desktop\qZJOfO5jjs.exe "C:\Users\user\Desktop\qZJOfO5jjs.exe"
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c netsh advfirewall firewall delete rule name="benshan"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="benshan"
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c netsh advfirewall firewall delete rule name="benshan"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="benshan"	Jump to behavior

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Window found: window name: SysTabControl32

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Window detected: Number of UI elements: 27

Source: qZJOfO5jjs.exe

Static file information: File size 3432448 > 1048576

Source: qZJOfO5jjs.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x221000

Source:	Binary string: \CallBack\x64\Release\CallBack.pdb source: qZJOfO5jjs.exe
Source:	Binary string: C:\Users\Administrator.PC-20170413SJJU\Desktop\XAntiDebug\Release\test.cpp.pdb source: qZJOfO5jjs.exe, qZJOfO5jjs.exe, 00000000.00000002.3216373894.0000000000D10000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\code\android\donut\development\host\windows\usb\api\objfre_wxp_x86\i386\AdbWinApi.pdb source: qZJOfO5jjs.exe
Source:	Binary string: c:\code\android\donut\development\host\windows\usb\api\objfre_wxp_x86\i386\AdbWinApi.pdb(PA source: qZJOfO5jjs.exe

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_004DBF50 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_004D2F38 push eax; ret	0_2_004D2F56
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_004D0B80 push eax; ret	0_2_004D0BAE
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02536100 push eax; ret	0_2_0253612E
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_025309F7 pushfd ; mov dword ptr [esp], edx	0_2_025309F9
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B0D1 push ebp; mov dword ptr [esp], edi	0_2_00D2B0DC
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B0D1 push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B0F7 push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B0FD push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B09E push ebp; mov dword ptr [esp], edi	0_2_00D2B0DC
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B09E push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B0B6 push dword ptr [esp+48h]; retn 004Ch	0_2_00D2B0A4
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B0B4 push dword ptr [esp+48h]; retn 004Ch	0_2_00D2B0A4
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D26040 push eax; ret	0_2_00D25FF1
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B04F push ebp; mov dword ptr [esp], edi	0_2_00D2B06B
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B04F push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B07C push dword ptr [esp+48h]; retn 004Ch	0_2_00D2B0A4
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2C017 push ebx; ret	0_2_00D2C023
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B43E push ebx; ret	0_2_00D2B43F
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B03D push ebp; mov dword ptr [esp], edi	0_2_00D2B0DC
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B03D push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D121F8 push eax; ret	0_2_00D2D3E6
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B1AC push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B155 push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B15E push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B17F push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B114 push eax; ret	0_2_00D2B2E0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B11E push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B132 push eax; ret	0_2_00D2B154
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B130 push dword ptr [esp+48h]; retn 004Ch	0_2_00D2B0A4
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D126CE push ebx; ret	0_2_00D126D2
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_00D2B2F3 push eax; ret	0_2_00D2B154

Drops PE files

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

File created: C:\Users\user\Desktop\myd3d.dll

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02533070 IsWindowVisible,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,IsRectEmpty,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsZoomed,IsRectEmpty,	0_2_02533070
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02533070 IsWindowVisible,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,IsRectEmpty,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsZoomed,IsRectEmpty,	0_2_02533070
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02516010 IsWindowEnabled,SendMessageA,SendMessageA,GetWindowRect,IsRectEmpty,PtInRect,PtInRect,GetSystemMenu,GetMenuState,SendMessageA,NtdllDefWindowProc_A,PtInRect,IsIconic,PtInRect,IsZoomed,PtInRect,PtInRect,GetWindowRect,	0_2_02516010
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02531800 IsZoomed,SendMessageA,IsIconic,SendMessageA,SendMessageA,GetSystemMenu,GetMenuState,SendMessageA,SendMessageA,KillTimer,GetMenuItemID,SendMessageA,CallWindowProcA,	0_2_02531800
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_025198B0 GetPropA,NtdllDefWindowProc_A,KillTimer,IsWindowVisible,IsIconic,SetTimer,	0_2_025198B0
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02514E30 IsWindowVisible,GetWindowRect,CreateCompatibleDC,SelectObject,SelectObject,SetBkMode,SelectObject,SetTextColor,DrawIconEx,GetWindowTextA,DrawTextA,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,SelectObject,DeleteDC,CreateCompatibleDC,SelectObject,DeleteObject,	0_2_02514E30
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Code function: 0_2_02535780 IsIconic,IsZoomed,IsRectEmpty,IsWindowVisible,	0_2_02535780

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

0_2_00D13F33

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_00410D9F rdtsc

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\myd3d.dll

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

API coverage: 1.9 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_00D12000 GetModuleHandleA,GetProcAddress,GetSystemInfo,

0_2_00D12000

Source: qZJOfO5jjs.exe, 00000000.00000002.3216251659.000000000083E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Process information queried: ProcessInformation

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_00410D9F rdtsc

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_00D14645 _memset,IsDebuggerPresent,

0_2_00D14645

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

0_2_00D18F6A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_004DBF50 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_0040B29D mov eax, dword ptr fs:[00000030h]

0_2_0040B29D

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_00D11C70 GetCurrentProcess,IsWow64Process,GetProcessHeap,

0_2_00D11C70

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_00D17A04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00D17A04

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c netsh advfirewall firewall delete rule name="benshan"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="benshan"			Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\qZJOfO5jjs.exe

Code function: 0_2_0040541D cpuid

0_2_0040541D

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\netsh.exe

Queries volume information: C:\ VolumeInformation