Loading ...

Play interactive tourEdit tour

Analysis Report JI93UWUR2p.exe

Overview

General Information

Sample Name:JI93UWUR2p.exe
Analysis ID:318892
MD5:b2648f9f8ef41a5b1073afc1b5f70f7b
SHA1:d28b4602f1ae9bd282183761a3992c10515734d5
SHA256:0b283e6ca397953eb86bb7842aa5ae2de6bb651c5e58349e839e1dbc304e96f8

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • JI93UWUR2p.exe (PID: 3152 cmdline: 'C:\Users\user\Desktop\JI93UWUR2p.exe' MD5: B2648F9F8EF41A5B1073AFC1B5F70F7B)
    • winusb.exe (PID: 6260 cmdline: C:\Windows\SysWOW64\mstsc\winusb.exe MD5: B2648F9F8EF41A5B1073AFC1B5F70F7B)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["186.189.249.2:80", "59.148.253.194:8080", "173.212.197.71:8080", "5.89.33.136:80", "177.144.130.105:443", "190.190.219.184:80", "82.76.111.249:443", "70.32.115.157:8080", "62.84.75.50:80", "190.24.243.186:80", "51.15.7.145:80", "24.232.228.233:80", "46.105.114.137:8080", "216.47.196.104:80", "172.86.186.21:8080", "186.103.141.250:443", "128.92.203.42:80", "190.188.245.242:80", "152.169.22.67:80", "170.81.48.2:80", "178.211.45.66:8080", "201.71.228.86:80", "111.67.12.221:8080", "70.169.17.134:80", "5.196.35.138:7080", "104.131.41.185:8080", "60.93.23.51:80", "181.123.6.86:80", "137.74.106.111:7080", "51.15.7.189:80", "94.176.234.118:443", "74.135.120.91:80", "188.135.15.49:80", "77.78.196.173:443", "177.73.0.98:443", "213.52.74.198:80", "177.144.130.105:8080", "177.74.228.34:80", "209.236.123.42:8080", "37.187.161.206:8080", "174.118.202.24:443", "178.250.54.208:8080", "109.190.35.249:80", "188.251.213.180:80", "191.182.6.118:80", "64.201.88.132:80", "79.118.74.90:80", "177.129.17.170:443", "212.71.237.140:8080", "109.190.249.106:80", "192.232.229.54:7080", "189.223.16.99:80", "201.213.177.139:80", "85.214.26.7:8080", "191.191.23.135:80", "46.43.2.95:8080", "50.28.51.143:8080", "98.103.204.12:443", "37.179.145.105:80", "46.101.58.37:8080", "2.45.176.233:80", "74.58.215.226:80", "68.183.190.199:8080", "185.94.252.27:443", "186.222.250.115:8080", "51.255.165.160:8080", "138.97.60.140:8080", "183.176.82.231:80", "105.209.235.113:8080", "77.238.212.227:80", "103.236.179.162:80", "45.46.37.97:80", "83.169.21.32:7080", "217.13.106.14:8080", "68.183.170.114:8080", "192.241.143.52:8080", "202.134.4.210:7080", "177.23.7.151:80", "192.81.38.31:80", "188.157.101.114:80", "185.183.16.47:80", "181.129.96.162:8080", "87.106.46.107:8080", "149.202.72.142:7080", "175.143.12.123:8080", "98.13.75.196:80", "12.163.208.58:80", "5.189.178.202:8080", "138.97.60.141:7080", "181.30.61.163:443", "219.92.13.25:80", "181.61.182.143:80", "213.197.182.158:8080", "1.226.84.243:8080", "12.162.84.2:8080", "189.2.177.210:443", "185.94.252.12:80", "51.75.33.127:80", "190.115.18.139:8080", "70.32.84.74:8080", "81.215.230.173:443", "172.104.169.32:8080", "37.183.81.217:80", "200.127.14.97:80"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.648301312.0000000002180000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.914566076.0000000000650000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.648328999.00000000021A4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000001.00000002.914790785.00000000021E4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: JI93UWUR2p.exeAvira: detected
          Source: JI93UWUR2p.exeAvira: detected
          Found malware configurationShow sources
          Source: 00000000.00000002.648301312.0000000002180000.00000040.00000001.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["186.189.249.2:80", "59.148.253.194:8080", "173.212.197.71:8080", "5.89.33.136:80", "177.144.130.105:443", "190.190.219.184:80", "82.76.111.249:443", "70.32.115.157:8080", "62.84.75.50:80", "190.24.243.186:80", "51.15.7.145:80", "24.232.228.233:80", "46.105.114.137:8080", "216.47.196.104:80", "172.86.186.21:8080", "186.103.141.250:443", "128.92.203.42:80", "190.188.245.242:80", "152.169.22.67:80", "170.81.48.2:80", "178.211.45.66:8080", "201.71.228.86:80", "111.67.12.221:8080", "70.169.17.134:80", "5.196.35.138:7080", "104.131.41.185:8080", "60.93.23.51:80", "181.123.6.86:80", "137.74.106.111:7080", "51.15.7.189:80", "94.176.234.118:443", "74.135.120.91:80", "188.135.15.49:80", "77.78.196.173:443", "177.73.0.98:443", "213.52.74.198:80", "177.144.130.105:8080", "177.74.228.34:80", "209.236.123.42:8080", "37.187.161.206:8080", "174.118.202.24:443", "178.250.54.208:8080", "109.190.35.249:80", "188.251.213.180:80", "191.182.6.118:80", "64.201.88.132:80", "79.118.74.90:80", "177.129.17.170:443", "212.71.237.140:8080", "109.190.249.106:80", "192.232.229.54:7080", "189.223.16.99:80", "201.213.177.139:80", "85.214.26.7:8080", "191.191.23.135:80", "46.43.2.95:8080", "50.28.51.143:8080", "98.103.204.12:443", "37.179.145.105:80", "46.101.58.37:8080", "2.45.176.233:80", "74.58.215.226:80", "68.183.190.199:8080", "185.94.252.27:443", "186.222.250.115:8080", "51.255.165.160:8080", "138.97.60.140:8080", "183.176.82.231:80", "105.209.235.113:8080", "77.238.212.227:80", "103.236.179.162:80", "45.46.37.97:80", "83.169.21.32:7080", "217.13.106.14:8080", "68.183.170.114:8080", "192.241.143.52:8080", "202.134.4.210:7080", "177.23.7.151:80", "192.81.38.31:80", "188.157.101.114:80", "185.183.16.47:80", "181.129.96.162:8080", "87.106.46.107:8080", "149.202.72.142:7080", "175.143.12.123:8080", "98.13.75.196:80", "12.163.208.58:80", "5.189.178.202:8080", "138.97.60.141:7080", "181.30.61.163:443", "219.92.13.25:80", "181.61.182.143:80", "213.197.182.158:8080", "1.226.84.243:8080", "12.162.84.2:8080", "189.2.177.210:443", "185.94.252.12:80", "51.75.33.127:80", "190.115.18.139:8080", "70.32.84.74:8080", "81.215.230.173:443", "172.104.169.32:8080", "37.183.81.217:80", "200.127.14.97:80"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}
          Source: 00000000.00000002.648301312.0000000002180000.00000040.00000001.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["186.189.249.2:80", "59.148.253.194:8080", "173.212.197.71:8080", "5.89.33.136:80", "177.144.130.105:443", "190.190.219.184:80", "82.76.111.249:443", "70.32.115.157:8080", "62.84.75.50:80", "190.24.243.186:80", "51.15.7.145:80", "24.232.228.233:80", "46.105.114.137:8080", "216.47.196.104:80", "172.86.186.21:8080", "186.103.141.250:443", "128.92.203.42:80", "190.188.245.242:80", "152.169.22.67:80", "170.81.48.2:80", "178.211.45.66:8080", "201.71.228.86:80", "111.67.12.221:8080", "70.169.17.134:80", "5.196.35.138:7080", "104.131.41.185:8080", "60.93.23.51:80", "181.123.6.86:80", "137.74.106.111:7080", "51.15.7.189:80", "94.176.234.118:443", "74.135.120.91:80", "188.135.15.49:80", "77.78.196.173:443", "177.73.0.98:443", "213.52.74.198:80", "177.144.130.105:8080", "177.74.228.34:80", "209.236.123.42:8080", "37.187.161.206:8080", "174.118.202.24:443", "178.250.54.208:8080", "109.190.35.249:80", "188.251.213.180:80", "191.182.6.118:80", "64.201.88.132:80", "79.118.74.90:80", "177.129.17.170:443", "212.71.237.140:8080", "109.190.249.106:80", "192.232.229.54:7080", "189.223.16.99:80", "201.213.177.139:80", "85.214.26.7:8080", "191.191.23.135:80", "46.43.2.95:8080", "50.28.51.143:8080", "98.103.204.12:443", "37.179.145.105:80", "46.101.58.37:8080", "2.45.176.233:80", "74.58.215.226:80", "68.183.190.199:8080", "185.94.252.27:443", "186.222.250.115:8080", "51.255.165.160:8080", "138.97.60.140:8080", "183.176.82.231:80", "105.209.235.113:8080", "77.238.212.227:80", "103.236.179.162:80", "45.46.37.97:80", "83.169.21.32:7080", "217.13.106.14:8080", "68.183.170.114:8080", "192.241.143.52:8080", "202.134.4.210:7080", "177.23.7.151:80", "192.81.38.31:80", "188.157.101.114:80", "185.183.16.47:80", "181.129.96.162:8080", "87.106.46.107:8080", "149.202.72.142:7080", "175.143.12.123:8080", "98.13.75.196:80", "12.163.208.58:80", "5.189.178.202:8080", "138.97.60.141:7080", "181.30.61.163:443", "219.92.13.25:80", "181.61.182.143:80", "213.197.182.158:8080", "1.226.84.243:8080", "12.162.84.2:8080", "189.2.177.210:443", "185.94.252.12:80", "51.75.33.127:80", "190.115.18.139:8080", "70.32.84.74:8080", "81.215.230.173:443", "172.104.169.32:8080", "37.183.81.217:80", "200.127.14.97:80"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: JI93UWUR2p.exeVirustotal: Detection: 70%Perma Link
          Source: JI93UWUR2p.exeReversingLabs: Detection: 89%
          Source: JI93UWUR2p.exeVirustotal: Detection: 70%Perma Link
          Source: JI93UWUR2p.exeReversingLabs: Detection: 89%
          Source: 0.0.JI93UWUR2p.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.ewy
          Source: 1.0.winusb.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.ewy
          Source: 0.0.JI93UWUR2p.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.ewy
          Source: 1.0.winusb.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.ewy
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_022121D0 CryptDuplicateHash,CryptDestroyHash,CryptGetHashParam,CryptEncrypt,GetProcessHeap,RtlAllocateHeap,memcpy,CryptExportKey,1_2_022121D0
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02212590 CryptCreateHash,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalFree,CryptGenKey,GetProcessHeap,HeapFree,1_2_02212590
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02211F28 CryptDecrypt,1_2_02211F28
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02211F10 CryptDecrypt,CryptDestroyHash,memcpy,CryptDuplicateHash,CryptVerifySignatureW,GetProcessHeap,HeapFree,1_2_02211F10
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_022121D0 CryptDuplicateHash,CryptDestroyHash,CryptGetHashParam,CryptEncrypt,GetProcessHeap,RtlAllocateHeap,memcpy,CryptExportKey,1_2_022121D0
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02212590 CryptCreateHash,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalFree,CryptGenKey,GetProcessHeap,HeapFree,1_2_02212590
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02211F28 CryptDecrypt,1_2_02211F28
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02211F10 CryptDecrypt,CryptDestroyHash,memcpy,CryptDuplicateHash,CryptVerifySignatureW,GetProcessHeap,HeapFree,1_2_02211F10
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D38A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,0_2_021D38A0
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D38A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,0_2_021D38A0
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_022138A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,1_2_022138A0

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.4:49749 -> 186.189.249.2:80
          Source: TrafficSnort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49763 -> 59.148.253.194:8080
          Source: TrafficSnort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.4:49749 -> 186.189.249.2:80
          Source: TrafficSnort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49763 -> 59.148.253.194:8080
          Source: global trafficTCP traffic: 192.168.2.4:49763 -> 59.148.253.194:8080
          Source: global trafficTCP traffic: 192.168.2.4:49763 -> 59.148.253.194:8080
          Source: Joe Sandbox ViewIP Address: 59.148.253.194 59.148.253.194
          Source: Joe Sandbox ViewIP Address: 59.148.253.194 59.148.253.194
          Source: Joe Sandbox ViewIP Address: 186.189.249.2 186.189.249.2
          Source: Joe Sandbox ViewASN Name: HKBN-AS-APHongKongBroadbandNetworkLtdHK HKBN-AS-APHongKongBroadbandNetworkLtdHK
          Source: Joe Sandbox ViewASN Name: HKBN-AS-APHongKongBroadbandNetworkLtdHK HKBN-AS-APHongKongBroadbandNetworkLtdHK
          Source: Joe Sandbox ViewASN Name: NSSSAAR NSSSAAR
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 186.189.249.2:80
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 186.189.249.2:80
          Source: global trafficHTTP traffic detected: POST /VUesxvJLqsgRPBri0T/KPhOAHSN2kVSzn/bJeXeF1LVEmM6VM/fQdoG2HH9qeGa/plktldVlzb8csJM4Ibv/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 59.148.253.194/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------------FHY8tOFpWJBZLSwMxRmYW9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.148.253.194:8080Content-Length: 4644Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: POST /VUesxvJLqsgRPBri0T/KPhOAHSN2kVSzn/bJeXeF1LVEmM6VM/fQdoG2HH9qeGa/plktldVlzb8csJM4Ibv/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 59.148.253.194/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------------FHY8tOFpWJBZLSwMxRmYW9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.148.253.194:8080Content-Length: 4644Cache-Control: no-cache
          Source: unknownTCP traffic detected without corresponding DNS query: 186.189.249.2
          Source: unknownTCP traffic detected without corresponding DNS query: 186.189.249.2
          Source: unknownTCP traffic detected without corresponding DNS query: 186.189.249.2
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 186.189.249.2
          Source: unknownTCP traffic detected without corresponding DNS query: 186.189.249.2
          Source: unknownTCP traffic detected without corresponding DNS query: 186.189.249.2
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: unknownTCP traffic detected without corresponding DNS query: 59.148.253.194
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02212940 GetProcessHeap,RtlAllocateHeap,InternetReadFile,GetProcessHeap,HeapFree,HttpQueryInfoW,1_2_02212940
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02212940 GetProcessHeap,RtlAllocateHeap,InternetReadFile,GetProcessHeap,HeapFree,HttpQueryInfoW,1_2_02212940
          Source: unknownHTTP traffic detected: POST /VUesxvJLqsgRPBri0T/KPhOAHSN2kVSzn/bJeXeF1LVEmM6VM/fQdoG2HH9qeGa/plktldVlzb8csJM4Ibv/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 59.148.253.194/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------------FHY8tOFpWJBZLSwMxRmYW9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.148.253.194:8080Content-Length: 4644Cache-Control: no-cache
          Source: unknownHTTP traffic detected: POST /VUesxvJLqsgRPBri0T/KPhOAHSN2kVSzn/bJeXeF1LVEmM6VM/fQdoG2HH9qeGa/plktldVlzb8csJM4Ibv/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 59.148.253.194/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------------FHY8tOFpWJBZLSwMxRmYW9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.148.253.194:8080Content-Length: 4644Cache-Control: no-cache
          Source: winusb.exe, 00000001.00000003.729797849.000000000290D000.00000004.00000001.sdmpString found in binary or memory: http://186.189.249.2/Wa57zPwBH2jYV/92TmuTyey/7gOYi9Zoit9x01Ipx9/APWTl0lAhKxUxI/G3oSW9PKXkWBEWzv/uGJr
          Source: winusb.exe, 00000001.00000002.915417523.000000000290F000.00000004.00000001.sdmpString found in binary or memory: http://59.148.253.194:8080/VUesxvJLqsgRPBri0T/KPhOAHSN2kVSzn/bJeXeF1LVEmM6VM/fQdoG2HH9qeGa/plktldVlz
          Source: winusb.exe, 00000001.00000003.729797849.000000000290D000.00000004.00000001.sdmpString found in binary or memory: http://186.189.249.2/Wa57zPwBH2jYV/92TmuTyey/7gOYi9Zoit9x01Ipx9/APWTl0lAhKxUxI/G3oSW9PKXkWBEWzv/uGJr
          Source: winusb.exe, 00000001.00000002.915417523.000000000290F000.00000004.00000001.sdmpString found in binary or memory: http://59.148.253.194:8080/VUesxvJLqsgRPBri0T/KPhOAHSN2kVSzn/bJeXeF1LVEmM6VM/fQdoG2HH9qeGa/plktldVlz
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_004137E2 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_004137E2
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_004137E2 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_004137E2
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_004137E2 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_004137E2

          E-Banking Fraud:

          barindex
          Yara detected EmotetShow sources
          Source: Yara matchFile source: 00000000.00000002.648301312.0000000002180000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.914566076.0000000000650000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.648328999.00000000021A4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.914790785.00000000021E4000.00000004.00000001.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeFile created: C:\Windows\SysWOW64\mstsc\Jump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeFile created: C:\Windows\SysWOW64\mstsc\Jump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeFile deleted: C:\Windows\SysWOW64\mstsc\winusb.exe:Zone.IdentifierJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeFile deleted: C:\Windows\SysWOW64\mstsc\winusb.exe:Zone.IdentifierJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_004150BB0_2_004150BB
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_004231CF0_2_004231CF
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041F1D80_2_0041F1D8
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0042D48E0_2_0042D48E
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041F5AC0_2_0041F5AC
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0042E60E0_2_0042E60E
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0042D9D20_2_0042D9D2
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041F9B80_2_0041F9B8
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0042FCB10_2_0042FCB1
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041ED030_2_0041ED03
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041FDD80_2_0041FDD8
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0042DF160_2_0042DF16
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D82200_2_021D8220
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D7EA00_2_021D7EA0
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D76400_2_021D7640
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D64C00_2_021D64C0
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D1B800_2_021D1B80
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02189A3E0_2_02189A3E
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218E02F0_2_0218E02F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218805E0_2_0218805E
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021891DE0_2_021891DE
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218371E0_2_0218371E
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0219E74D0_2_0219E74D
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218DFFB0_2_0218DFFB
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218E4AF0_2_0218E4AF
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02189DBE0_2_02189DBE
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218E5EA0_2_0218E5EA
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_004150BB0_2_004150BB
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_004231CF0_2_004231CF
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041F1D80_2_0041F1D8
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0042D48E0_2_0042D48E
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041F5AC0_2_0041F5AC
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0042E60E0_2_0042E60E
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0042D9D20_2_0042D9D2
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041F9B80_2_0041F9B8
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0042FCB10_2_0042FCB1
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041ED030_2_0041ED03
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041FDD80_2_0041FDD8
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0042DF160_2_0042DF16
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D82200_2_021D8220
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D7EA00_2_021D7EA0
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D76400_2_021D7640
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D64C00_2_021D64C0
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D1B800_2_021D1B80
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02189A3E0_2_02189A3E
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218E02F0_2_0218E02F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218805E0_2_0218805E
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021891DE0_2_021891DE
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218371E0_2_0218371E
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0219E74D0_2_0219E74D
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218DFFB0_2_0218DFFB
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218E4AF0_2_0218E4AF
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02189DBE0_2_02189DBE
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218E5EA0_2_0218E5EA
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_004150BB1_2_004150BB
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_004231CF1_2_004231CF
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_0041F1D81_2_0041F1D8
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_0042D48E1_2_0042D48E
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_0041F5AC1_2_0041F5AC
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_0042E60E1_2_0042E60E
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_0042D9D21_2_0042D9D2
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_0041F9B81_2_0041F9B8
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_0042FCB11_2_0042FCB1
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_0041ED031_2_0041ED03
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_0041FDD81_2_0041FDD8
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_0042DF161_2_0042DF16
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_022182201_2_02218220
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_022176401_2_02217640
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_022164C01_2_022164C0
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02211B801_2_02211B80
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02217EA01_2_02217EA0
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: String function: 004203A0 appears 62 times
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: String function: 004011C0 appears 58 times
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: String function: 0041E5AD appears 92 times
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: String function: 00419CA9 appears 109 times
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: String function: 004031B0 appears 37 times
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: String function: 004033F0 appears 52 times
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: String function: 00418E47 appears 40 times
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: String function: 004203A0 appears 62 times
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: String function: 004011C0 appears 58 times
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: String function: 0041E5AD appears 92 times
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: String function: 00419CA9 appears 109 times
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: String function: 004031B0 appears 37 times
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: String function: 004033F0 appears 52 times
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: String function: 00418E47 appears 40 times
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: String function: 004203A0 appears 62 times
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: String function: 004011C0 appears 58 times
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: String function: 0041E5AD appears 92 times
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: String function: 00419CA9 appears 109 times
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: String function: 004031B0 appears 37 times
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: String function: 004033F0 appears 52 times
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: String function: 00418E47 appears 40 times
          Source: JI93UWUR2p.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: JI93UWUR2p.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: JI93UWUR2p.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: JI93UWUR2p.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: JI93UWUR2p.exe, 00000000.00000002.649010856.0000000002A50000.00000002.00000001.sdmpBinary or memory string: originalfilename vs JI93UWUR2p.exe
          Source: JI93UWUR2p.exe, 00000000.00000002.649010856.0000000002A50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs JI93UWUR2p.exe
          Source: JI93UWUR2p.exe, 00000000.00000002.647975530.000000000044B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFormula.EXED vs JI93UWUR2p.exe
          Source: JI93UWUR2p.exe, 00000000.00000002.648891203.0000000002950000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs JI93UWUR2p.exe
          Source: JI93UWUR2p.exeBinary or memory string: OriginalFilenameFormula.EXED vs JI93UWUR2p.exe
          Source: JI93UWUR2p.exe, 00000000.00000002.649010856.0000000002A50000.00000002.00000001.sdmpBinary or memory string: originalfilename vs JI93UWUR2p.exe
          Source: JI93UWUR2p.exe, 00000000.00000002.649010856.0000000002A50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs JI93UWUR2p.exe
          Source: JI93UWUR2p.exe, 00000000.00000002.647975530.000000000044B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFormula.EXED vs JI93UWUR2p.exe
          Source: JI93UWUR2p.exe, 00000000.00000002.648891203.0000000002950000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs JI93UWUR2p.exe
          Source: JI93UWUR2p.exeBinary or memory string: OriginalFilenameFormula.EXED vs JI93UWUR2p.exe
          Source: classification engineClassification label: mal92.troj.evad.winEXE@3/0@0/3
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: OpenSCManagerW,CreateServiceW,_snwprintf,CloseServiceHandle,CloseServiceHandle,0_2_021D87A0
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: OpenSCManagerW,CreateServiceW,_snwprintf,CloseServiceHandle,CloseServiceHandle,0_2_021D87A0
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02214C70 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,Process32FirstW,FindCloseChangeNotification,1_2_02214C70
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02214C70 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,Process32FirstW,FindCloseChangeNotification,1_2_02214C70
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041611C FindResourceA,LoadResource,LockResource,FreeResource,0_2_0041611C
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041611C FindResourceA,LoadResource,LockResource,FreeResource,0_2_0041611C
          Source: JI93UWUR2p.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: JI93UWUR2p.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: JI93UWUR2p.exeVirustotal: Detection: 70%
          Source: JI93UWUR2p.exeReversingLabs: Detection: 89%
          Source: JI93UWUR2p.exeVirustotal: Detection: 70%
          Source: JI93UWUR2p.exeReversingLabs: Detection: 89%
          Source: unknownProcess created: C:\Users\user\Desktop\JI93UWUR2p.exe 'C:\Users\user\Desktop\JI93UWUR2p.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\mstsc\winusb.exe C:\Windows\SysWOW64\mstsc\winusb.exe
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeProcess created: C:\Windows\SysWOW64\mstsc\winusb.exe C:\Windows\SysWOW64\mstsc\winusb.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\JI93UWUR2p.exe 'C:\Users\user\Desktop\JI93UWUR2p.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\mstsc\winusb.exe C:\Windows\SysWOW64\mstsc\winusb.exe
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeProcess created: C:\Windows\SysWOW64\mstsc\winusb.exe C:\Windows\SysWOW64\mstsc\winusb.exeJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: JI93UWUR2p.exeStatic PE information: section name: RT_CURSOR
          Source: JI93UWUR2p.exeStatic PE information: section name: RT_BITMAP
          Source: JI93UWUR2p.exeStatic PE information: section name: RT_ICON
          Source: JI93UWUR2p.exeStatic PE information: section name: RT_MENU
          Source: JI93UWUR2p.exeStatic PE information: section name: RT_DIALOG
          Source: JI93UWUR2p.exeStatic PE information: section name: RT_STRING
          Source: JI93UWUR2p.exeStatic PE information: section name: RT_ACCELERATOR
          Source: JI93UWUR2p.exeStatic PE information: section name: RT_GROUP_ICON
          Source: JI93UWUR2p.exeStatic PE information: section name: RT_CURSOR
          Source: JI93UWUR2p.exeStatic PE information: section name: RT_BITMAP
          Source: JI93UWUR2p.exeStatic PE information: section name: RT_ICON
          Source: JI93UWUR2p.exeStatic PE information: section name: RT_MENU
          Source: JI93UWUR2p.exeStatic PE information: section name: RT_DIALOG
          Source: JI93UWUR2p.exeStatic PE information: section name: RT_STRING
          Source: JI93UWUR2p.exeStatic PE information: section name: RT_ACCELERATOR
          Source: JI93UWUR2p.exeStatic PE information: section name: RT_GROUP_ICON
          Source: JI93UWUR2p.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: JI93UWUR2p.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: JI93UWUR2p.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: JI93UWUR2p.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: JI93UWUR2p.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: JI93UWUR2p.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: JI93UWUR2p.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: JI93UWUR2p.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: JI93UWUR2p.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: JI93UWUR2p.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_004024D0 LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,CreateDirectoryA,0_2_004024D0
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_004024D0 LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,CreateDirectoryA,0_2_004024D0
          Source: JI93UWUR2p.exeStatic PE information: real checksum: 0x979a0 should be: 0x93829
          Source: JI93UWUR2p.exeStatic PE information: real checksum: 0x979a0 should be: 0x93829
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_004203E5 push ecx; ret 0_2_004203F8
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041E685 push ecx; ret 0_2_0041E698
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5E20 push ecx; mov dword ptr [esp], 0000EDA0h0_2_021D5E21
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5E50 push ecx; mov dword ptr [esp], 00007A5Dh0_2_021D5E51
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5E80 push ecx; mov dword ptr [esp], 0000C40Ah0_2_021D5E81
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5EE0 push ecx; mov dword ptr [esp], 00000AC6h0_2_021D5EE1
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5F40 push ecx; mov dword ptr [esp], 0000E5DEh0_2_021D5F41
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5F70 push ecx; mov dword ptr [esp], 0000E7B9h0_2_021D5F71
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5FC0 push ecx; mov dword ptr [esp], 0000E566h0_2_021D5FC1
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5D30 push ecx; mov dword ptr [esp], 000012E8h0_2_021D5D31
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5D70 push ecx; mov dword ptr [esp], 00008FD2h0_2_021D5D71
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5DA0 push ecx; mov dword ptr [esp], 00005C85h0_2_021D5DA1
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5DD0 push ecx; mov dword ptr [esp], 0000F574h0_2_021D5DD1
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02187A1E push ecx; mov dword ptr [esp], 0000C40Ah0_2_02187A1F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02187A7E push ecx; mov dword ptr [esp], 00000AC6h0_2_02187A7F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02187ADE push ecx; mov dword ptr [esp], 0000E5DEh0_2_02187ADF
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02187B0E push ecx; mov dword ptr [esp], 0000E7B9h0_2_02187B0F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02187B5E push ecx; mov dword ptr [esp], 0000E566h0_2_02187B5F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021878CE push ecx; mov dword ptr [esp], 000012E8h0_2_021878CF
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218790E push ecx; mov dword ptr [esp], 00008FD2h0_2_0218790F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218793E push ecx; mov dword ptr [esp], 00005C85h0_2_0218793F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218796E push ecx; mov dword ptr [esp], 0000F574h0_2_0218796F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021879BE push ecx; mov dword ptr [esp], 0000EDA0h0_2_021879BF
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021879EE push ecx; mov dword ptr [esp], 00007A5Dh0_2_021879EF
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_004203E5 push ecx; ret 0_2_004203F8
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041E685 push ecx; ret 0_2_0041E698
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5E20 push ecx; mov dword ptr [esp], 0000EDA0h0_2_021D5E21
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5E50 push ecx; mov dword ptr [esp], 00007A5Dh0_2_021D5E51
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5E80 push ecx; mov dword ptr [esp], 0000C40Ah0_2_021D5E81
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5EE0 push ecx; mov dword ptr [esp], 00000AC6h0_2_021D5EE1
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5F40 push ecx; mov dword ptr [esp], 0000E5DEh0_2_021D5F41
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5F70 push ecx; mov dword ptr [esp], 0000E7B9h0_2_021D5F71
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5FC0 push ecx; mov dword ptr [esp], 0000E566h0_2_021D5FC1
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5D30 push ecx; mov dword ptr [esp], 000012E8h0_2_021D5D31
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5D70 push ecx; mov dword ptr [esp], 00008FD2h0_2_021D5D71
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5DA0 push ecx; mov dword ptr [esp], 00005C85h0_2_021D5DA1
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D5DD0 push ecx; mov dword ptr [esp], 0000F574h0_2_021D5DD1
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02187A1E push ecx; mov dword ptr [esp], 0000C40Ah0_2_02187A1F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02187A7E push ecx; mov dword ptr [esp], 00000AC6h0_2_02187A7F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02187ADE push ecx; mov dword ptr [esp], 0000E5DEh0_2_02187ADF
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02187B0E push ecx; mov dword ptr [esp], 0000E7B9h0_2_02187B0F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02187B5E push ecx; mov dword ptr [esp], 0000E566h0_2_02187B5F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021878CE push ecx; mov dword ptr [esp], 000012E8h0_2_021878CF
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218790E push ecx; mov dword ptr [esp], 00008FD2h0_2_0218790F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218793E push ecx; mov dword ptr [esp], 00005C85h0_2_0218793F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218796E push ecx; mov dword ptr [esp], 0000F574h0_2_0218796F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021879BE push ecx; mov dword ptr [esp], 0000EDA0h0_2_021879BF
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021879EE push ecx; mov dword ptr [esp], 00007A5Dh0_2_021879EF
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_004203E5 push ecx; ret 1_2_004203F8
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_0041E685 push ecx; ret 1_2_0041E698
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02215E20 push ecx; mov dword ptr [esp], 0000EDA0h1_2_02215E21
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02215E50 push ecx; mov dword ptr [esp], 00007A5Dh1_2_02215E51
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02215E80 push ecx; mov dword ptr [esp], 0000C40Ah1_2_02215E81
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02215EE0 push ecx; mov dword ptr [esp], 00000AC6h1_2_02215EE1
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02215F70 push ecx; mov dword ptr [esp], 0000E7B9h1_2_02215F71

          Persistence and Installation Behavior:

          barindex
          Drops executables to the windows directory (C:\Windows) and starts themShow sources
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeExecutable created and started: C:\Windows\SysWOW64\mstsc\winusb.exeJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeExecutable created and started: C:\Windows\SysWOW64\mstsc\winusb.exeJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exePE file moved: C:\Windows\SysWOW64\mstsc\winusb.exeJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exePE file moved: C:\Windows\SysWOW64\mstsc\winusb.exeJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeFile opened: C:\Windows\SysWOW64\mstsc\winusb.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeFile opened: C:\Windows\SysWOW64\mstsc\winusb.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_00410F66 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00410F66
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_00410F66 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00410F66
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_00410F66 IsIconic,GetWindowPlacement,GetWindowRect,1_2_00410F66
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-38142
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-38142
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-37317
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_1-31392
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-37317
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_1-31392
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeAPI coverage: 9.5 %
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeAPI coverage: 9.5 %
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D38A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,0_2_021D38A0
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D38A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,0_2_021D38A0
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_022138A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,1_2_022138A0
          Source: winusb.exe, 00000001.00000002.915399663.0000000002900000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW M{%SystemRoot%\system32\mswsock.dll
          Source: winusb.exe, 00000001.00000002.915417523.000000000290F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: winusb.exe, 00000001.00000002.915399663.0000000002900000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW M{%SystemRoot%\system32\mswsock.dll
          Source: winusb.exe, 00000001.00000002.915417523.000000000290F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeAPI call chain: ExitProcess graph end nodegraph_0-37986
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeAPI call chain: ExitProcess graph end nodegraph_0-37252
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeAPI call chain: ExitProcess graph end nodegraph_1-31327
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeAPI call chain: ExitProcess graph end nodegraph_0-37986
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeAPI call chain: ExitProcess graph end nodegraph_0-37252
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeAPI call chain: ExitProcess graph end nodegraph_1-31327
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_004024D0 LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,CreateDirectoryA,0_2_004024D0
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_004024D0 LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,CreateDirectoryA,0_2_004024D0
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041D41B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041D41B
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041D41B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041D41B
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_004024D0 LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,CreateDirectoryA,0_2_004024D0
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_004024D0 LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,CreateDirectoryA,0_2_004024D0
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D3ED0 mov eax, dword ptr fs:[00000030h]0_2_021D3ED0
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D4DF0 mov eax, dword ptr fs:[00000030h]0_2_021D4DF0
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02185A6E mov eax, dword ptr fs:[00000030h]0_2_02185A6E
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218095E mov eax, dword ptr fs:[00000030h]0_2_0218095E
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218698E mov eax, dword ptr fs:[00000030h]0_2_0218698E
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02180456 mov eax, dword ptr fs:[00000030h]0_2_02180456
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021A1030 mov eax, dword ptr fs:[00000030h]0_2_021A1030
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D3ED0 mov eax, dword ptr fs:[00000030h]0_2_021D3ED0
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D4DF0 mov eax, dword ptr fs:[00000030h]0_2_021D4DF0
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02185A6E mov eax, dword ptr fs:[00000030h]0_2_02185A6E
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218095E mov eax, dword ptr fs:[00000030h]0_2_0218095E
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0218698E mov eax, dword ptr fs:[00000030h]0_2_0218698E
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_02180456 mov eax, dword ptr fs:[00000030h]0_2_02180456
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021A1030 mov eax, dword ptr fs:[00000030h]0_2_021A1030
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02213ED0 mov eax, dword ptr fs:[00000030h]1_2_02213ED0
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_02214DF0 mov eax, dword ptr fs:[00000030h]1_2_02214DF0
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_021E1030 mov eax, dword ptr fs:[00000030h]1_2_021E1030
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D3070 PathFindExtensionW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,0_2_021D3070
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_021D3070 PathFindExtensionW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,0_2_021D3070
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041D41B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041D41B
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_00423ABF __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00423ABF
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_00427CBF SetUnhandledExceptionFilter,0_2_00427CBF
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_00420FD7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00420FD7
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_0041D41B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041D41B
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_00423ABF __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00423ABF
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_00427CBF SetUnhandledExceptionFilter,0_2_00427CBF
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: 0_2_00420FD7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00420FD7
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_0041D41B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0041D41B
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_00423ABF __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00423ABF
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_00427CBF SetUnhandledExceptionFilter,1_2_00427CBF
          Source: C:\Windows\SysWOW64\mstsc\winusb.exeCode function: 1_2_00420FD7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00420FD7
          Source: winusb.exe, 00000001.00000002.914708942.0000000000D50000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: winusb.exe, 00000001.00000002.914708942.0000000000D50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: winusb.exe, 00000001.00000002.914708942.0000000000D50000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: winusb.exe, 00000001.00000002.914708942.0000000000D50000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: winusb.exe, 00000001.00000002.914708942.0000000000D50000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: winusb.exe, 00000001.00000002.914708942.0000000000D50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: winusb.exe, 00000001.00000002.914708942.0000000000D50000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: winusb.exe, 00000001.00000002.914708942.0000000000D50000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_0042B03C
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,0_2_0042B0DF
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_0042B0A3
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,0_2_0042A218
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,0_2_004293CB
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,0_2_0040E399
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,0_2_0042A470
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,0_2_0042941F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_0042955E
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,0_2_0042A736
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: GetLocaleInfoA,0_2_0042CAD3
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,0_2_00423BF7
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,0_2_0042AB86
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_00429BAA
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,0_2_0042AC9D
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,0_2_0042AD35
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,0_2_0042ADA9
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,0_2_0042CE30
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,0_2_0042AF7B
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_0042B03C
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,0_2_0042B0DF
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_0042B0A3
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,0_2_0042A218
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,0_2_004293CB
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,0_2_0040E399
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,0_2_0042A470
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,0_2_0042941F
          Source: C:\Users\user\Desktop\JI93UWUR2p.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,