Analysis Report WDnE51mua6.exe

Overview

General Information

Sample Name:	WDnE51mua6.exe
Analysis ID:	383838
MD5:	7e7012645cc3d6d3572bb01891fbcec1
SHA1:	712fe21354098f3764f6e9cbe7b57dc67a65c478
SHA256:	df116f3585f1fe4b00c351a2941f6b85565e1fcc6da5569c6f7c80ddd1b4e2a8
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Submitted sample is a known malware sample

Contains functionality to register a low level keyboard hook

Creates processes via WMI

Drops PE files with a suspicious file extension

Injects a PE file into a foreign processes

Machine Learning detection for sample

Obfuscated command line found

Tries to harvest and steal browser information (history, passwords, etc)

Uses nslookup.exe to query domains

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd491	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49r	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/upload/upload.php	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/kh=	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/8	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/hi0	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/upload/upload.phpmit	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/upload/upload.phpp/hi0	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/#hu	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/5hc	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/ography	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49lcanoconiosispZ	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/sFt	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/Dg	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/Vg	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/oi9	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for submitted file

Source: WDnE51mua6.exe	Virustotal: Detection: 41%			Perma Link
Source: WDnE51mua6.exe	ReversingLabs: Detection: 64%

Machine Learning detection for sample

Source: WDnE51mua6.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: WDnE51mua6.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 8.208.95.18:443 -> 192.168.2.6:49730 version: TLS 1.2

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00409931 ??2@YAPAXI@Z,FindFirstFileW,FindClose,	0_2_00409931
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00404402 FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_00404402
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00403327 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00403327
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00403442 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_00403442
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_0091E334 GetFileAttributesW,FindFirstFileW,FindClose,	6_2_0091E334
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028E334 GetFileAttributesW,FindFirstFileW,FindClose,	12_2_0028E334
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0029A32C FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_0029A32C
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002965AE FindFirstFileW,FindNextFileW,FindClose,	12_2_002965AE
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0025C6C2 FindFirstFileExW,	12_2_0025C6C2
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00297205 FindFirstFileW,FindClose,	12_2_00297205
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002972A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	12_2_002972A6
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0028D7CC
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0028DB0B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00299E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00299E43
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00299F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00299F9E

Networking:

Uses nslookup.exe to query domains

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe	Jump to behavior

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 8.208.95.18 8.208.95.18
Source: Joe Sandbox View	IP Address: 8.208.95.18 8.208.95.18

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0029D672 InternetReadFile,SetEvent,GetLastError,SetEvent,

12_2_0029D672

Source: unknown

DNS traffic detected: queries for: zjZFqZYoOtpryMyR.zjZFqZYoOtpryMyR

Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: nslookup.exe, 00000010.00000003.514415275.0000000003B97000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: nslookup.exe, 00000010.00000003.514235035.0000000003B7E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DST#
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0-
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Gia.exe.com, 00000006.00000000.354716969.0000000000985000.00000002.00020000.sdmp, Gia.exe.com, 00000007.00000002.502867230.0000000000985000.00000002.00020000.sdmp, juROhmfLml.exe.com, 0000000C.00000002.529162484.00000000002F5000.00000002.00020000.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp, nslookup.exe, 00000010.00000003.584413680.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/#hu
Source: nslookup.exe, 00000010.00000002.591863693.0000000003B64000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd491
Source: nslookup.exe, 00000010.00000002.591717257.0000000003B30000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49lcanoconiosispZ
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49r
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/5hc
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/8
Source: nslookup.exe, 00000010.00000003.584413680.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/Dg
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/Vg
Source: nslookup.exe, 00000010.00000003.536247326.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/hi0
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/kh=
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/ography
Source: nslookup.exe, 00000010.00000003.544012619.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/oi9
Source: nslookup.exe, 00000010.00000002.591863693.0000000003B64000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/sFt
Source: nslookup.exe, 00000010.00000002.591747509.0000000003B37000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/upload/upload.php
Source: nslookup.exe, 00000010.00000003.532175709.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/upload/upload.phpmit
Source: nslookup.exe, 00000010.00000003.532175709.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/upload/upload.phpp/hi0
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.topctionSettings
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Gia.exe.com.5.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 8.208.95.18:443 -> 192.168.2.6:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00408D9C SetWindowsHookExW 00000002,Function_00008D6E,00000000,00000000

0_2_00408D9C

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0029F345 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

12_2_0029F345

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

12_2_0029F345

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

Code function: 6_2_008B1976 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

6_2_008B1976

Creates a DirectInput object (often for capturing keystrokes)

Source: WDnE51mua6.exe, 00000000.00000002.486248274.00000000007DA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_002B9B7E DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

12_2_002B9B7E

System Summary:

Submitted sample is a known malware sample

Source: C:\Windows\SysWOW64\cmd.exe

Dropped file: MD5: ac6ad5d9b99757c3a878f2d275ace198 Family: APT37 Alias: Reaper group, Geumseong121, Group 123, Scarcruft, APT-S-008, Red Eyes, TEMP.Reaper, Ricochet Chollima, sun team, APT37 Description: APT37 is a suspected North Korean cyber espionage group that has been in operation since at least 2012. Their targets are primarily located in South Korea, but also Japan, Vietnam, Russia, China, India, and some of the countries in the Middle East. A wider range of industries are affected, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities References: https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf https://securelist.com/operation-daybreak/75100/https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/Data Source: https://github.com/RedDrip7/APT_Digital_Weapon

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_00294635: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

12_2_00294635

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_00281A7B LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

12_2_00281A7B

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0028F0CD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

12_2_0028F0CD

Detected potential crypto function

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00406024	0_2_00406024
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041C873	0_2_0041C873
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041A836	0_2_0041A836
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040B140	0_2_0040B140
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_004171F6	0_2_004171F6
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040B9A0	0_2_0040B9A0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040AAA0	0_2_0040AAA0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040B350	0_2_0040B350
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040A3F0	0_2_0040A3F0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041543A	0_2_0041543A
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040C4E0	0_2_0040C4E0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041C501	0_2_0041C501
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041BD00	0_2_0041BD00
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041C5DB	0_2_0041C5DB
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040A5B0	0_2_0040A5B0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00410740	0_2_00410740
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00405729	0_2_00405729
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040FFD8	0_2_0040FFD8
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D80C7	6_2_008D80C7
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008EE920	6_2_008EE920
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008E6B8B	6_2_008E6B8B
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008DCEC0	6_2_008DCEC0
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008DE600	6_2_008DE600
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D7E6A	6_2_008D7E6A
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D17B4	6_2_008D17B4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00242097	12_2_00242097
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002480C7	12_2_002480C7
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002221FD	12_2_002221FD
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0025A30E	12_2_0025A30E
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00242352	12_2_00242352
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0023C45C	12_2_0023C45C
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002AC5C4	12_2_002AC5C4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002928D7	12_2_002928D7
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0025E920	12_2_0025E920
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00288AB4	12_2_00288AB4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0023CBB2	12_2_0023CBB2
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00256B8B	12_2_00256B8B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0024CEC0	12_2_0024CEC0
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002B4F4F	12_2_002B4F4F
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0022D000	12_2_0022D000
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002571F9	12_2_002571F9
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00229540	12_2_00229540
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002417B4	12_2_002417B4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00229A20	12_2_00229A20
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00241B26	12_2_00241B26
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00247C3B	12_2_00247C3B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00241DD0	12_2_00241DD0
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00247E6A	12_2_00247E6A
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00229E80	12_2_00229E80
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0023DF78	12_2_0023DF78
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B97C2C	16_3_03B97C2C
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B97C2C	16_3_03B97C2C
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B97C2C	16_3_03B97C2C
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B97C2C	16_3_03B97C2C

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com 05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: String function: 00240E50 appears 46 times
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: String function: 0023FE52 appears 39 times
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: String function: 00404F59 appears 41 times

PE file contains strange resources

Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: WDnE51mua6.exe, 00000000.00000002.489362010.0000000002B50000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs WDnE51mua6.exe
Source: WDnE51mua6.exe, 00000000.00000002.489362010.0000000002B50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs WDnE51mua6.exe
Source: WDnE51mua6.exe, 00000000.00000002.485886366.0000000000427000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs WDnE51mua6.exe
Source: WDnE51mua6.exe, 00000000.00000002.488920190.0000000002A50000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs WDnE51mua6.exe
Source: WDnE51mua6.exe	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs WDnE51mua6.exe

Uses 32bit PE files

Source: WDnE51mua6.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@35/26@3/3

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00409684 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00409684

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00281939 AdjustTokenPrivileges,CloseHandle,		12_2_00281939
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00281F3D LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		12_2_00281F3D

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_004023DF GetDiskFreeSpaceExW,SendMessageW,

0_2_004023DF

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_002AADEE CreateToolhelp32Snapshot,Process32FirstW,CompareStringW,Process32NextW,CloseHandle,

12_2_002AADEE

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00409332 GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,GetDlgItem,GetWindowLongW,GetDlgItem,SetWindowLongW,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow,

0_2_00409332

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00403908 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,GetProcAddress,GetProcAddress,wsprintfW,GetProcAddress,

0_2_00403908

Source: C:\Users\user\Desktop\WDnE51mua6.exe

File created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:724:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4188:120:WilError_01

Source: C:\Windows\SysWOW64\nslookup.exe

File created: C:\Users\user\AppData\Local\Temp\chrB32.tmp

Jump to behavior

Source: WDnE51mua6.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process

Source: C:\Users\user\Desktop\WDnE51mua6.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: WDnE51mua6.exe	Virustotal: Detection: 41%
Source: WDnE51mua6.exe	ReversingLabs: Detection: 64%

Source: C:\Users\user\Desktop\WDnE51mua6.exe

File read: C:\Users\user\Desktop\WDnE51mua6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\WDnE51mua6.exe 'C:\Users\user\Desktop\WDnE51mua6.exe'
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Windows\System32\svchost.exe'
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe CmD
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com Gia.exe.com D
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com D
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\zPgFqFUsML\wAYZqHgYEOdcYU.js'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com C:\Users\user\AppData\Roaming\zPgFqFUsML\I
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process get Name
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\makecab.exe makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Windows\System32\svchost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe CmD	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com Gia.exe.com D	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com D	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp'	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp'	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process get Name	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\makecab.exe makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: WDnE51mua6.exe

Static file information: File size 1338284 > 1048576

Data Obfuscation:

Obfuscated command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00407E2D LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetDlgItem,GetWindow,

0_2_00407E2D

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_3_0464985C pushfd ; retf 0001h	0_3_0464985D
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_3_0464985C pushfd ; retf 0001h	0_3_0464985D
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_3_0464985C pushfd ; retf 0001h	0_3_0464985D
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_3_0464985C pushfd ; retf 0001h	0_3_0464985D
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041C1C0 push eax; ret	0_2_0041C1EE
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041BEF0 push ecx; mov dword ptr [esp], ecx	0_2_0041BEF1
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D0E96 push ecx; ret	6_2_008D0EA9
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00240E96 push ecx; ret	12_2_00240EA9
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf	16_3_03B979C3
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf	16_3_03B979C3
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf	16_3_03B979C3
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B96AE2 push esi; retf	16_3_03B96B09
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B96AE2 push esi; retf	16_3_03B96B09
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972D6 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972D6 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972D6 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9642F push esi; retf	16_3_03B964D6
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9642F push esi; retf	16_3_03B964D6
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9D24C push esi; iretd	16_3_03B9D24D
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9D24C push esi; iretd	16_3_03B9D24D
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9D24C push esi; iretd	16_3_03B9D24D
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf	16_3_03B979C3
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf	16_3_03B979C3
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf	16_3_03B979C3
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B96AE2 push esi; retf	16_3_03B96B09

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

File created: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Jump to dropped file

Drops PE files

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

File created: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Jump to dropped file

Boot Survival:

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juROhmfLml.url

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juROhmfLml.url

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008CFC88 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	6_2_008CFC88
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002B231B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	12_2_002B231B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0023FC88 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	12_2_0023FC88

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30			Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\WDnE51mua6.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_3_04646816 sldt word ptr [eax+00000000h]

0_3_04646816

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\nslookup.exe	Thread delayed: delay time: 300000			Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Thread delayed: delay time: 300000			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\conhost.exe

Window / User API: threadDelayed 551

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\conhost.exe TID: 4272	Thread sleep count: 551 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe TID: 7084	Thread sleep count: 73 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe TID: 7084	Thread sleep time: -21900000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe TID: 7084	Thread sleep time: -300000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\nslookup.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\nslookup.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00409931 ??2@YAPAXI@Z,FindFirstFileW,FindClose,	0_2_00409931
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00404402 FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_00404402
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00403327 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00403327
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00403442 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_00403442
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_0091E334 GetFileAttributesW,FindFirstFileW,FindClose,	6_2_0091E334
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028E334 GetFileAttributesW,FindFirstFileW,FindClose,	12_2_0028E334
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0029A32C FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_0029A32C
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002965AE FindFirstFileW,FindNextFileW,FindClose,	12_2_002965AE
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0025C6C2 FindFirstFileExW,	12_2_0025C6C2
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00297205 FindFirstFileW,FindClose,	12_2_00297205
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002972A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	12_2_002972A6
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0028D7CC
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0028DB0B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00299E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00299E43
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00299F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00299F9E

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

Code function: 6_2_008B29A4 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

6_2_008B29A4

Source: C:\Windows\SysWOW64\nslookup.exe	Thread delayed: delay time: 300000			Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Thread delayed: delay time: 300000			Jump to behavior

Source: Gia.exe.com, 00000006.00000003.373817469.0000000003A0F000.00000004.00000001.sdmp	Binary or memory string: VSBQTQCGHGFSVBZNPa
Source: Gia.exe.com, 00000007.00000003.481222837.0000000000C86000.00000004.00000001.sdmp	Binary or memory string: For $XiNdoKGhHHMCONMOTWHGfSTeNgLuudMzhkzCOkswjyqkIf = 14 To 21iHv
Source: WMIC.exe, 0000001B.00000002.525079315.0000000003240000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Gia.exe.com, 00000006.00000003.379643001.00000000014A1000.00000004.00000001.sdmp, Gia.exe.com, 00000007.00000003.500853897.0000000001015000.00000004.00000001.sdmp	Binary or memory string: XINDOKGHHHMCONMOTWHGFSTENGLUUDMZHKZCOKSWJYQKIF
Source: Gia.exe.com, 00000006.00000003.363693331.0000000001246000.00000004.00000001.sdmp	Binary or memory string: Local $vSBQTqCgHgfSVBzNP = WFzUldrKAarEmh("108$94$113$95$116$92$108$80$122$95$72$111$72$127$80$120$83$92$116$80$124$110$124$126$74$120",5)bpP'V
Source: Gia.exe.com, 00000006.00000003.363693331.0000000001246000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.517559340.0000000001815000.00000004.00000001.sdmp, D.4.dr	Binary or memory string: $vSBQTqCgHgfSVBzNP = WFzUldrKAarEmh("74$118$85$93$119$111$103$125$93$120$113$69$110$114$80$80$85$74$112$115$120$76$106$102$115",4)
Source: Gia.exe.com, 00000007.00000003.484283807.0000000000E1B000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.512752448.0000000001735000.00000004.00000001.sdmp, D.4.dr	Binary or memory string: Local $vSBQTqCgHgfSVBzNP = WFzUldrKAarEmh("108$94$113$95$116$92$108$80$122$95$72$111$72$127$80$120$83$92$116$80$124$110$124$126$74$120",5)
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: Gia.exe.com, 00000006.00000003.363693331.0000000001246000.00000004.00000001.sdmp, Gia.exe.com, 00000007.00000003.485762857.0000000000DEE000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.517346905.00000000017B0000.00000004.00000001.sdmp, D.4.dr	Binary or memory string: Local $OAqRAdBbLENaGz = Execute(WFzUldrKAarEmh("83$116$114$105$110$103$73$115$70$108$111$97$116$40$39$99$88$111$72$89$77$97$80$97$39$41",0)), $rmmUODWAgzS = 'WnhgFsHZLPgRZzChkPpMgNPUzgtiphUTx'
Source: juROhmfLml.exe.com, 0000000C.00000003.525890863.0000000003A7D000.00000004.00000001.sdmp	Binary or memory string: AYMJRBYKOZPULCBEXEFVMCIRPJNVHKMNQLYPKHLNORGCWOLBBRWSHWLTBV
Source: WMIC.exe, 0000001B.00000002.525079315.0000000003240000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: juROhmfLml.exe.com, 0000000C.00000003.526715313.00000000019DF000.00000004.00000001.sdmp	Binary or memory string: XINDOKGHHHMCONMOTWHGFSTENGLUUDMZHKZCOKSWJYQKIFzY6
Source: juROhmfLml.exe.com, 0000000C.00000003.521769343.0000000003EAD000.00000004.00000001.sdmp	Binary or memory string: VSBQTQCGHGFSVBZNP=
Source: Gia.exe.com, 00000007.00000003.497896623.000000000333D000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.523133517.0000000003D3B000.00000004.00000001.sdmp	Binary or memory string: WnhgFsHZLPgRZzChkPpMgNPUzgtiphUTx
Source: Gia.exe.com, 00000007.00000003.491094566.0000000003773000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000002.530969482.00000000041DF000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Gia.exe.com, 00000007.00000003.479485061.0000000000C89000.00000004.00000001.sdmp	Binary or memory string: For $AyMjRBYKozpULCBeXeFVMcIRpJnVhKmNQLypkhlNOrGCWOLBbRWsHwltbV = 2 To 35'~O
Source: Gia.exe.com, 00000007.00000003.361970252.0000000003812000.00000004.00000001.sdmp, D.4.dr	Binary or memory string: For $XiNdoKGhHHMCONMOTWHGfSTeNgLuudMzhkzCOkswjyqkIf = 14 To 21
Source: nslookup.exe, 00000010.00000002.591747509.0000000003B37000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW8O
Source: Gia.exe.com, 00000006.00000003.375300453.00000000038A4000.00000004.00000001.sdmp	Binary or memory string: WnhgFsHZLPgRZzChkPpMgNPUzgtiphUTx;
Source: D.4.dr	Binary or memory string: For $AyMjRBYKozpULCBeXeFVMcIRpJnVhKmNQLypkhlNOrGCWOLBbRWsHwltbV = 2 To 35
Source: Gia.exe.com, 00000007.00000003.488239080.0000000000E52000.00000004.00000001.sdmp	Binary or memory string: $vSBQTqCgHgfSVBzNP = WFzUldrKAarEmh("74$118$85$93$119$111$103$125$93$120$113$69$110$114$80$80$85$74$112$115$120$76$106$102$115",4)W
Source: WMIC.exe, 0000001B.00000002.525079315.0000000003240000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Gia.exe.com, 00000007.00000003.495710670.00000000034B7000.00000004.00000001.sdmp	Binary or memory string: VSBQTQCGHGFSVBZNPG
Source: Gia.exe.com, 00000006.00000003.373817469.0000000003A0F000.00000004.00000001.sdmp, Gia.exe.com, 00000007.00000003.495710670.00000000034B7000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.521769343.0000000003EAD000.00000004.00000001.sdmp	Binary or memory string: VSBQTQCGHGFSVBZNP
Source: WMIC.exe, 0000001B.00000002.525079315.0000000003240000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0029F2E8 BlockInput,

12_2_0029F2E8

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

Code function: 6_2_008B331E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

6_2_008B331E

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00407E2D LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetDlgItem,GetWindow,

0_2_00407E2D

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D5108 mov eax, dword ptr fs:[00000030h]		6_2_008D5108
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00245108 mov eax, dword ptr fs:[00000030h]		12_2_00245108

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0028207D GetProcessHeap,HeapAlloc,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,CreateThread,

12_2_0028207D

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D1041 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_008D1041
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008E29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_008E29B2
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00240DF5 SetUnhandledExceptionFilter,	12_2_00240DF5
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002529B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_002529B2
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00240C5F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00240C5F
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00241041 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00241041

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Memory written: C:\Windows\SysWOW64\nslookup.exe base: 2C60000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Memory written: C:\Windows\SysWOW64\nslookup.exe base: 2800000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Memory written: C:\Windows\SysWOW64\nslookup.exe base: 2C60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Memory written: C:\Windows\SysWOW64\nslookup.exe base: 2800000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Memory written: C:\Windows\SysWOW64\nslookup.exe base: 27F2000	Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

12_2_00281A7B

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

Code function: 6_2_008B331E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

6_2_008B331E

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

Code function: 6_2_008CFC88 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

6_2_008CFC88

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0028EB2C mouse_event,

12_2_0028EB2C

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Windows\System32\svchost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe CmD	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com Gia.exe.com D	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp'	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp'	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process get Name	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\makecab.exe makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'	Jump to behavior

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_002813DC GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

12_2_002813DC

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00403F0A AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00403F0A

Source: Gia.exe.com, 00000006.00000000.354662827.0000000000973000.00000002.00020000.sdmp, Gia.exe.com, 00000007.00000002.502815629.0000000000973000.00000002.00020000.sdmp, juROhmfLml.exe.com, 0000000C.00000002.529054024.00000000002E3000.00000002.00020000.sdmp, Gia.exe.com.5.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Gia.exe.com, juROhmfLml.exe.com, nslookup.exe, 00000010.00000002.592440613.00000000040C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: nslookup.exe, 00000010.00000002.592440613.00000000040C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: nslookup.exe, 00000010.00000002.592440613.00000000040C0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: nslookup.exe, 00000010.00000002.592440613.00000000040C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_00240AB8 cpuid

12_2_00240AB8

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

0_2_00403CE0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chrB32.tmp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chrCF8.tmp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chr1073.tmp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49 VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chr2302.tmp VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_004028F2 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??3@YAXPAX@Z,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,

0_2_004028F2

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0025BD72 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

12_2_0025BD72

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00406024 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,KiUserCallbackDispatcher,GetVersionExW,GetCommandLineW,GetCommandLineW,GetCommandLineW,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,??3@YAXPAX@Z,lstrlenW,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,_wtol,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00406024

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\DefaultAccount\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\WDAGUtilityAccount\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\Guest\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002A204C socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		12_2_002A204C
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002A1A4A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		12_2_002A1A4A

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
8.208.95.18	banusdoret.top	Singapore		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name	IP	Active
banusdoret.top	8.208.95.18	true
zjZFqZYoOtpryMyR.zjZFqZYoOtpryMyR	unknown	unknown

AV Detection:

Antivirus detection for URL or domain

Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd491	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49r	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/upload/upload.php	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/kh=	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/8	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/hi0	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/upload/upload.phpmit	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/upload/upload.phpp/hi0	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/#hu	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/5hc	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/ography	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49lcanoconiosispZ	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/sFt	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/Dg	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/Vg	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/oi9	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for submitted file

Source: WDnE51mua6.exe	Virustotal: Detection: 41%			Perma Link
Source: WDnE51mua6.exe	ReversingLabs: Detection: 64%

Machine Learning detection for sample

Source: WDnE51mua6.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: WDnE51mua6.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 8.208.95.18:443 -> 192.168.2.6:49730 version: TLS 1.2

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00409931 ??2@YAPAXI@Z,FindFirstFileW,FindClose,	0_2_00409931
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00404402 FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_00404402
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00403327 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00403327
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00403442 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_00403442
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_0091E334 GetFileAttributesW,FindFirstFileW,FindClose,	6_2_0091E334
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028E334 GetFileAttributesW,FindFirstFileW,FindClose,	12_2_0028E334
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0029A32C FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_0029A32C
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002965AE FindFirstFileW,FindNextFileW,FindClose,	12_2_002965AE
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0025C6C2 FindFirstFileExW,	12_2_0025C6C2
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00297205 FindFirstFileW,FindClose,	12_2_00297205
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002972A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	12_2_002972A6
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0028D7CC
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0028DB0B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00299E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00299E43
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00299F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00299F9E

Networking:

Uses nslookup.exe to query domains

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe	Jump to behavior

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 8.208.95.18 8.208.95.18
Source: Joe Sandbox View	IP Address: 8.208.95.18 8.208.95.18

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0029D672 InternetReadFile,SetEvent,GetLastError,SetEvent,

12_2_0029D672

Source: unknown

DNS traffic detected: queries for: zjZFqZYoOtpryMyR.zjZFqZYoOtpryMyR

Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: nslookup.exe, 00000010.00000003.514415275.0000000003B97000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: nslookup.exe, 00000010.00000003.514235035.0000000003B7E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DST#
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0-
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Gia.exe.com, 00000006.00000000.354716969.0000000000985000.00000002.00020000.sdmp, Gia.exe.com, 00000007.00000002.502867230.0000000000985000.00000002.00020000.sdmp, juROhmfLml.exe.com, 0000000C.00000002.529162484.00000000002F5000.00000002.00020000.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp, nslookup.exe, 00000010.00000003.584413680.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/#hu
Source: nslookup.exe, 00000010.00000002.591863693.0000000003B64000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd491
Source: nslookup.exe, 00000010.00000002.591717257.0000000003B30000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49lcanoconiosispZ
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49r
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/5hc
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/8
Source: nslookup.exe, 00000010.00000003.584413680.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/Dg
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/Vg
Source: nslookup.exe, 00000010.00000003.536247326.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/hi0
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/kh=
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/ography
Source: nslookup.exe, 00000010.00000003.544012619.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/oi9
Source: nslookup.exe, 00000010.00000002.591863693.0000000003B64000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/sFt
Source: nslookup.exe, 00000010.00000002.591747509.0000000003B37000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/upload/upload.php
Source: nslookup.exe, 00000010.00000003.532175709.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/upload/upload.phpmit
Source: nslookup.exe, 00000010.00000003.532175709.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/upload/upload.phpp/hi0
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.topctionSettings
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Gia.exe.com.5.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 8.208.95.18:443 -> 192.168.2.6:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00408D9C SetWindowsHookExW 00000002,Function_00008D6E,00000000,00000000

0_2_00408D9C

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

12_2_0029F345

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

12_2_0029F345

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

Code function: 6_2_008B1976 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

6_2_008B1976

Creates a DirectInput object (often for capturing keystrokes)

Source: WDnE51mua6.exe, 00000000.00000002.486248274.00000000007DA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

12_2_002B9B7E

System Summary:

Submitted sample is a known malware sample

Source: C:\Windows\SysWOW64\cmd.exe

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_00294635: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

12_2_00294635

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

12_2_00281A7B

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0028F0CD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

12_2_0028F0CD

Detected potential crypto function

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00406024	0_2_00406024
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041C873	0_2_0041C873
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041A836	0_2_0041A836
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040B140	0_2_0040B140
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_004171F6	0_2_004171F6
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040B9A0	0_2_0040B9A0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040AAA0	0_2_0040AAA0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040B350	0_2_0040B350
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040A3F0	0_2_0040A3F0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041543A	0_2_0041543A
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040C4E0	0_2_0040C4E0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041C501	0_2_0041C501
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041BD00	0_2_0041BD00
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041C5DB	0_2_0041C5DB
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040A5B0	0_2_0040A5B0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00410740	0_2_00410740
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00405729	0_2_00405729
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040FFD8	0_2_0040FFD8
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D80C7	6_2_008D80C7
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008EE920	6_2_008EE920
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008E6B8B	6_2_008E6B8B
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008DCEC0	6_2_008DCEC0
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008DE600	6_2_008DE600
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D7E6A	6_2_008D7E6A
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D17B4	6_2_008D17B4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00242097	12_2_00242097
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002480C7	12_2_002480C7
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002221FD	12_2_002221FD
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0025A30E	12_2_0025A30E
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00242352	12_2_00242352
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0023C45C	12_2_0023C45C
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002AC5C4	12_2_002AC5C4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002928D7	12_2_002928D7
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0025E920	12_2_0025E920
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00288AB4	12_2_00288AB4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0023CBB2	12_2_0023CBB2
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00256B8B	12_2_00256B8B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0024CEC0	12_2_0024CEC0
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002B4F4F	12_2_002B4F4F
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0022D000	12_2_0022D000
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002571F9	12_2_002571F9
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00229540	12_2_00229540
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002417B4	12_2_002417B4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00229A20	12_2_00229A20
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00241B26	12_2_00241B26
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00247C3B	12_2_00247C3B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00241DD0	12_2_00241DD0
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00247E6A	12_2_00247E6A
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00229E80	12_2_00229E80
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0023DF78	12_2_0023DF78
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B97C2C	16_3_03B97C2C
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B97C2C	16_3_03B97C2C
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B97C2C	16_3_03B97C2C
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B97C2C	16_3_03B97C2C

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com 05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: String function: 00240E50 appears 46 times
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: String function: 0023FE52 appears 39 times
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: String function: 00404F59 appears 41 times

PE file contains strange resources

Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: WDnE51mua6.exe, 00000000.00000002.489362010.0000000002B50000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs WDnE51mua6.exe
Source: WDnE51mua6.exe, 00000000.00000002.489362010.0000000002B50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs WDnE51mua6.exe
Source: WDnE51mua6.exe, 00000000.00000002.485886366.0000000000427000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs WDnE51mua6.exe
Source: WDnE51mua6.exe, 00000000.00000002.488920190.0000000002A50000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs WDnE51mua6.exe
Source: WDnE51mua6.exe	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs WDnE51mua6.exe

Uses 32bit PE files

Source: WDnE51mua6.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@35/26@3/3

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00409684 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00409684

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00281939 AdjustTokenPrivileges,CloseHandle,		12_2_00281939
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00281F3D LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		12_2_00281F3D

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_004023DF GetDiskFreeSpaceExW,SendMessageW,

0_2_004023DF

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_002AADEE CreateToolhelp32Snapshot,Process32FirstW,CompareStringW,Process32NextW,CloseHandle,

12_2_002AADEE

Source: C:\Users\user\Desktop\WDnE51mua6.exe

0_2_00409332

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00403908 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,GetProcAddress,GetProcAddress,wsprintfW,GetProcAddress,

0_2_00403908

Source: C:\Users\user\Desktop\WDnE51mua6.exe

File created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:724:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4188:120:WilError_01

Source: C:\Windows\SysWOW64\nslookup.exe

File created: C:\Users\user\AppData\Local\Temp\chrB32.tmp

Jump to behavior

Source: WDnE51mua6.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process

Source: C:\Users\user\Desktop\WDnE51mua6.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: WDnE51mua6.exe	Virustotal: Detection: 41%
Source: WDnE51mua6.exe	ReversingLabs: Detection: 64%

Source: C:\Users\user\Desktop\WDnE51mua6.exe

File read: C:\Users\user\Desktop\WDnE51mua6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\WDnE51mua6.exe 'C:\Users\user\Desktop\WDnE51mua6.exe'
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Windows\System32\svchost.exe'
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe CmD
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com Gia.exe.com D
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com D
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\zPgFqFUsML\wAYZqHgYEOdcYU.js'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com C:\Users\user\AppData\Roaming\zPgFqFUsML\I
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process get Name
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\makecab.exe makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Windows\System32\svchost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe CmD	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com Gia.exe.com D	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com D	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp'	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp'	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process get Name	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\makecab.exe makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: WDnE51mua6.exe

Static file information: File size 1338284 > 1048576

Data Obfuscation:

Obfuscated command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00407E2D LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetDlgItem,GetWindow,

0_2_00407E2D

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_3_0464985C pushfd ; retf 0001h	0_3_0464985D
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_3_0464985C pushfd ; retf 0001h	0_3_0464985D
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_3_0464985C pushfd ; retf 0001h	0_3_0464985D
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_3_0464985C pushfd ; retf 0001h	0_3_0464985D
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041C1C0 push eax; ret	0_2_0041C1EE
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041BEF0 push ecx; mov dword ptr [esp], ecx	0_2_0041BEF1
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D0E96 push ecx; ret	6_2_008D0EA9
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00240E96 push ecx; ret	12_2_00240EA9
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf	16_3_03B979C3
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf	16_3_03B979C3
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf	16_3_03B979C3
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B96AE2 push esi; retf	16_3_03B96B09
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B96AE2 push esi; retf	16_3_03B96B09
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972D6 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972D6 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972D6 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9642F push esi; retf	16_3_03B964D6
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9642F push esi; retf	16_3_03B964D6
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9D24C push esi; iretd	16_3_03B9D24D
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9D24C push esi; iretd	16_3_03B9D24D
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9D24C push esi; iretd	16_3_03B9D24D
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf	16_3_03B979C3
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf	16_3_03B979C3
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf	16_3_03B979C3
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf	16_3_03B9739A
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B96AE2 push esi; retf	16_3_03B96B09

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

File created: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Jump to dropped file

Drops PE files

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

File created: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Jump to dropped file

Boot Survival:

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juROhmfLml.url

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juROhmfLml.url

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008CFC88 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	6_2_008CFC88
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002B231B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	12_2_002B231B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0023FC88 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	12_2_0023FC88

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30			Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\WDnE51mua6.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_3_04646816 sldt word ptr [eax+00000000h]

0_3_04646816

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\nslookup.exe	Thread delayed: delay time: 300000			Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Thread delayed: delay time: 300000			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\conhost.exe

Window / User API: threadDelayed 551

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\conhost.exe TID: 4272	Thread sleep count: 551 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe TID: 7084	Thread sleep count: 73 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe TID: 7084	Thread sleep time: -21900000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe TID: 7084	Thread sleep time: -300000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\nslookup.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\nslookup.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00409931 ??2@YAPAXI@Z,FindFirstFileW,FindClose,	0_2_00409931
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00404402 FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_00404402
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00403327 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00403327
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00403442 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_00403442
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_0091E334 GetFileAttributesW,FindFirstFileW,FindClose,	6_2_0091E334
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028E334 GetFileAttributesW,FindFirstFileW,FindClose,	12_2_0028E334
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0029A32C FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_0029A32C
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002965AE FindFirstFileW,FindNextFileW,FindClose,	12_2_002965AE
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0025C6C2 FindFirstFileExW,	12_2_0025C6C2
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00297205 FindFirstFileW,FindClose,	12_2_00297205
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002972A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	12_2_002972A6
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0028D7CC
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0028DB0B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00299E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00299E43
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00299F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00299F9E

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

Code function: 6_2_008B29A4 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

6_2_008B29A4

Source: C:\Windows\SysWOW64\nslookup.exe	Thread delayed: delay time: 300000			Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Thread delayed: delay time: 300000			Jump to behavior

Source: Gia.exe.com, 00000006.00000003.373817469.0000000003A0F000.00000004.00000001.sdmp	Binary or memory string: VSBQTQCGHGFSVBZNPa
Source: Gia.exe.com, 00000007.00000003.481222837.0000000000C86000.00000004.00000001.sdmp	Binary or memory string: For $XiNdoKGhHHMCONMOTWHGfSTeNgLuudMzhkzCOkswjyqkIf = 14 To 21iHv
Source: WMIC.exe, 0000001B.00000002.525079315.0000000003240000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Gia.exe.com, 00000006.00000003.379643001.00000000014A1000.00000004.00000001.sdmp, Gia.exe.com, 00000007.00000003.500853897.0000000001015000.00000004.00000001.sdmp	Binary or memory string: XINDOKGHHHMCONMOTWHGFSTENGLUUDMZHKZCOKSWJYQKIF
Source: Gia.exe.com, 00000006.00000003.363693331.0000000001246000.00000004.00000001.sdmp	Binary or memory string: Local $vSBQTqCgHgfSVBzNP = WFzUldrKAarEmh("108$94$113$95$116$92$108$80$122$95$72$111$72$127$80$120$83$92$116$80$124$110$124$126$74$120",5)bpP'V
Source: Gia.exe.com, 00000006.00000003.363693331.0000000001246000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.517559340.0000000001815000.00000004.00000001.sdmp, D.4.dr	Binary or memory string: $vSBQTqCgHgfSVBzNP = WFzUldrKAarEmh("74$118$85$93$119$111$103$125$93$120$113$69$110$114$80$80$85$74$112$115$120$76$106$102$115",4)
Source: Gia.exe.com, 00000007.00000003.484283807.0000000000E1B000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.512752448.0000000001735000.00000004.00000001.sdmp, D.4.dr	Binary or memory string: Local $vSBQTqCgHgfSVBzNP = WFzUldrKAarEmh("108$94$113$95$116$92$108$80$122$95$72$111$72$127$80$120$83$92$116$80$124$110$124$126$74$120",5)
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: Gia.exe.com, 00000006.00000003.363693331.0000000001246000.00000004.00000001.sdmp, Gia.exe.com, 00000007.00000003.485762857.0000000000DEE000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.517346905.00000000017B0000.00000004.00000001.sdmp, D.4.dr	Binary or memory string: Local $OAqRAdBbLENaGz = Execute(WFzUldrKAarEmh("83$116$114$105$110$103$73$115$70$108$111$97$116$40$39$99$88$111$72$89$77$97$80$97$39$41",0)), $rmmUODWAgzS = 'WnhgFsHZLPgRZzChkPpMgNPUzgtiphUTx'
Source: juROhmfLml.exe.com, 0000000C.00000003.525890863.0000000003A7D000.00000004.00000001.sdmp	Binary or memory string: AYMJRBYKOZPULCBEXEFVMCIRPJNVHKMNQLYPKHLNORGCWOLBBRWSHWLTBV
Source: WMIC.exe, 0000001B.00000002.525079315.0000000003240000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: juROhmfLml.exe.com, 0000000C.00000003.526715313.00000000019DF000.00000004.00000001.sdmp	Binary or memory string: XINDOKGHHHMCONMOTWHGFSTENGLUUDMZHKZCOKSWJYQKIFzY6
Source: juROhmfLml.exe.com, 0000000C.00000003.521769343.0000000003EAD000.00000004.00000001.sdmp	Binary or memory string: VSBQTQCGHGFSVBZNP=
Source: Gia.exe.com, 00000007.00000003.497896623.000000000333D000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.523133517.0000000003D3B000.00000004.00000001.sdmp	Binary or memory string: WnhgFsHZLPgRZzChkPpMgNPUzgtiphUTx
Source: Gia.exe.com, 00000007.00000003.491094566.0000000003773000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000002.530969482.00000000041DF000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Gia.exe.com, 00000007.00000003.479485061.0000000000C89000.00000004.00000001.sdmp	Binary or memory string: For $AyMjRBYKozpULCBeXeFVMcIRpJnVhKmNQLypkhlNOrGCWOLBbRWsHwltbV = 2 To 35'~O
Source: Gia.exe.com, 00000007.00000003.361970252.0000000003812000.00000004.00000001.sdmp, D.4.dr	Binary or memory string: For $XiNdoKGhHHMCONMOTWHGfSTeNgLuudMzhkzCOkswjyqkIf = 14 To 21
Source: nslookup.exe, 00000010.00000002.591747509.0000000003B37000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW8O
Source: Gia.exe.com, 00000006.00000003.375300453.00000000038A4000.00000004.00000001.sdmp	Binary or memory string: WnhgFsHZLPgRZzChkPpMgNPUzgtiphUTx;
Source: D.4.dr	Binary or memory string: For $AyMjRBYKozpULCBeXeFVMcIRpJnVhKmNQLypkhlNOrGCWOLBbRWsHwltbV = 2 To 35
Source: Gia.exe.com, 00000007.00000003.488239080.0000000000E52000.00000004.00000001.sdmp	Binary or memory string: $vSBQTqCgHgfSVBzNP = WFzUldrKAarEmh("74$118$85$93$119$111$103$125$93$120$113$69$110$114$80$80$85$74$112$115$120$76$106$102$115",4)W
Source: WMIC.exe, 0000001B.00000002.525079315.0000000003240000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Gia.exe.com, 00000007.00000003.495710670.00000000034B7000.00000004.00000001.sdmp	Binary or memory string: VSBQTQCGHGFSVBZNPG
Source: Gia.exe.com, 00000006.00000003.373817469.0000000003A0F000.00000004.00000001.sdmp, Gia.exe.com, 00000007.00000003.495710670.00000000034B7000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.521769343.0000000003EAD000.00000004.00000001.sdmp	Binary or memory string: VSBQTQCGHGFSVBZNP
Source: WMIC.exe, 0000001B.00000002.525079315.0000000003240000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0029F2E8 BlockInput,

12_2_0029F2E8

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

Code function: 6_2_008B331E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

6_2_008B331E

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00407E2D LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetDlgItem,GetWindow,

0_2_00407E2D

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D5108 mov eax, dword ptr fs:[00000030h]		6_2_008D5108
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00245108 mov eax, dword ptr fs:[00000030h]		12_2_00245108

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0028207D GetProcessHeap,HeapAlloc,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,CreateThread,

12_2_0028207D

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D1041 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_008D1041
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008E29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_008E29B2
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00240DF5 SetUnhandledExceptionFilter,	12_2_00240DF5
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002529B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_002529B2
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00240C5F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00240C5F
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00241041 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00241041

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Memory written: C:\Windows\SysWOW64\nslookup.exe base: 2C60000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Memory written: C:\Windows\SysWOW64\nslookup.exe base: 2800000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Memory written: C:\Windows\SysWOW64\nslookup.exe base: 2C60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Memory written: C:\Windows\SysWOW64\nslookup.exe base: 2800000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Memory written: C:\Windows\SysWOW64\nslookup.exe base: 27F2000	Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

12_2_00281A7B

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

Code function: 6_2_008B331E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

6_2_008B331E

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

6_2_008CFC88

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0028EB2C mouse_event,

12_2_0028EB2C

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Windows\System32\svchost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe CmD	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com Gia.exe.com D	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp'	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp'	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process get Name	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\makecab.exe makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'	Jump to behavior

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

12_2_002813DC

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00403F0A AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00403F0A

Source: Gia.exe.com, 00000006.00000000.354662827.0000000000973000.00000002.00020000.sdmp, Gia.exe.com, 00000007.00000002.502815629.0000000000973000.00000002.00020000.sdmp, juROhmfLml.exe.com, 0000000C.00000002.529054024.00000000002E3000.00000002.00020000.sdmp, Gia.exe.com.5.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Gia.exe.com, juROhmfLml.exe.com, nslookup.exe, 00000010.00000002.592440613.00000000040C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: nslookup.exe, 00000010.00000002.592440613.00000000040C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: nslookup.exe, 00000010.00000002.592440613.00000000040C0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: nslookup.exe, 00000010.00000002.592440613.00000000040C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_00240AB8 cpuid

12_2_00240AB8

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\WDnE51mua6.exe

0_2_00403CE0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chrB32.tmp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chrCF8.tmp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chr1073.tmp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49 VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chr2302.tmp VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\WDnE51mua6.exe

0_2_004028F2

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0025BD72 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

12_2_0025BD72

Source: C:\Users\user\Desktop\WDnE51mua6.exe

0_2_00406024

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\DefaultAccount\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\WDAGUtilityAccount\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\Guest\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002A204C socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		12_2_002A204C
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002A1A4A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		12_2_002A1A4A

ID:	383838
Product:	CloudBasic
Start time:	10:49:33
Start date:	08.04.2021
Sample:	WDnE51mua6.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	7e7012645cc3d6d3572bb01891fbcec1
SHA1:	712fe21354098f3764f6e9cbe7b57dc67a65c478
SHA256:	df116f3585f1fe4b00c351a2941f6b85565e1fcc6da5569c6f7c80ddd1b4e2a8
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49	data	B83C81F14AF24C10C2ED43996409795A	1257FF605B3BC8E2FC0F28195481DD8A74DDAC0D	C5407A1C6D5882DC61D0D9CFA6BF4D8A0E5DF1C1C25DDB1B23BF7804236A2960
C:\Users\user\AppData\Local\Temp\cab_5036_2	data	CFAF155E352CF3168AAFB3E2F147C54E	7404C60D379CDFB21F2E28AC02E3E8C6B2EAE1D6	0ED4FF0E634BE10A9001EEBC4A49911997410967E96B33144A34AF56F5000C2E
C:\Users\user\AppData\Local\Temp\cab_5036_3	data	478B9568815F608EC7213D351CBD8CDB	89743EC25D75E6EA4290CF5C90C1460A8C833FE9	D611A9CB064EE6F5D9ACDD2632FAFE2EB8EE0DE3DB8551B4AB42ABE3ED4F36C8
C:\Users\user\AppData\Local\Temp\cab_5036_4	data	1A5DAC8AEB202A00C054E1C9CAC02B3D	9DC1BF7A70ADF481590B07D587F83185CCB6B9F9	D1521BB1E2238F4587055AC303A1FB5377285B5FE607756572B83259DB8F94D5
C:\Users\user\AppData\Local\Temp\cab_5036_5	data	478B9568815F608EC7213D351CBD8CDB	89743EC25D75E6EA4290CF5C90C1460A8C833FE9	D611A9CB064EE6F5D9ACDD2632FAFE2EB8EE0DE3DB8551B4AB42ABE3ED4F36C8
C:\Users\user\AppData\Local\Temp\cab_5036_6	data	7B5B6C7BF41E6055ABD4E74476E08575	5C05D3A68F69258D236F6D9677CC0A42E399E7CC	2392619F397925A165CF31634781D68B006C396611C425F6C67F338356E47F8F
C:\Users\user\AppData\Local\Temp\chr1073.tmp	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	F9D527CEF22C29BCAC626EAFF4201DAB	D2925316040A2382BF760C3D2EE324DB17C67CCC	9024A75A428327B4A85E4BF616C2B968A8ECA00CFC677F1A90C5C367AC5C50F8
C:\Users\user\AppData\Local\Temp\chr2302.tmp	data	93E86307587E6C2A2C3F25DB6C3A8C34	157561344ABA59BCED8BC4329918951FECE872D2	2DCF0197EFE740AB55785AC8ADE300796B2ED5CFFBD0B0C764AC7DEE517D2912
C:\Users\user\AppData\Local\Temp\chrB32.tmp	SQLite 3.x database, last written using SQLite version 3032001	BBB6A426B60C6A2F63EF024B760E841A	BE39F0CFF6250813D9E7A2E8704C4CA2857D76B8	ED609C4EBA6C25D93CDBF722385BC3548F3D6DCCAAFF6A0FA41FF00A7ADC4769
C:\Users\user\AppData\Local\Temp\chrCF8.tmp	ASCII text, with CRLF line terminators	B29BF38565243D324A1E41E6046BB066	E7D4C557CB8FB5B00C94CA7F8E3ADD6060F087FA	4B6F66EFB4919A346C9BDB937423F2D808C9EDB56ADE794D8FA4A9B45D7FEFF2
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juROhmfLml.url	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Roaming\zPgFqFUsML\wAYZqHgYEOdcYU.js>), Little-endian UTF-16 Unicode text, with CRLF line terminators	53B7CB2641E4A572F1355EA8002117E9	7195D9973A7E8F1573207DF7C241132DDE6672DC	7E09B82661650D0A9BA4BE0AE17D48969486F0468B28E587560547FC82BCB3E9
C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Che.vsd	data	A7DDD4D4067D7E404D579AE32DC91542	4203587509050293E0D1C8F833545230BB3355B0	548E87E6B13CDDA866CCC0A125B4EEAB7879C2AE0FCAC20073AC953D2F682729
C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\D	ASCII text, with very long lines, with CRLF, CR, LF line terminators	870E342CA1600B86242061A18E7819E8	D2515EA2681B02C6A4B1C87BCC2C7594FC836EF3	4F86DBE6A04B7483CE39E3C48BF05F19D9C3E285AC8C47E10DF4D958942AE788
C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Targa image data - Mono 65536 x 184 x 0 +65535 ""	DAB8F26DB6E8D76655D96B463513CE6A	EA9C3631F94233C06750776CD9BD18E27FBD8677	549D70CF61A50E8970E274BF7E76F4C9FAB1E185189A8AD074E2A5BDEA39005B
C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Lineamento.vsd	ASCII text, with very long lines, with CRLF, CR, LF line terminators	870E342CA1600B86242061A18E7819E8	D2515EA2681B02C6A4B1C87BCC2C7594FC836EF3	4F86DBE6A04B7483CE39E3C48BF05F19D9C3E285AC8C47E10DF4D958942AE788
C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Poi.vsd	ASCII text, with very long lines, with CRLF line terminators	F96668D6E644D2D131C7C1B0E3465733	AF552D39A5ABD94E61CBC5CB18B0A35A9039573A	EFFD096DF32E053A1926A58330D7AF2A369AD630B0ECC69C162473140773D67E
C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Veduto.vsd	data	B4B043FBDA464D018EF01CEA7CEE7303	2B21F85669E9EE021A0805A1D802760993F86957	63BC2CA795DA615CDFE6A0DCD3D65944632FE0013D452CAFC3016165A762BF2A
C:\Users\user\AppData\Roaming\zPgFqFUsML\I	ASCII text, with very long lines, with CRLF, CR, LF line terminators	870E342CA1600B86242061A18E7819E8	D2515EA2681B02C6A4B1C87BCC2C7594FC836EF3	4F86DBE6A04B7483CE39E3C48BF05F19D9C3E285AC8C47E10DF4D958942AE788
C:\Users\user\AppData\Roaming\zPgFqFUsML\Veduto.vsd	data	B4B043FBDA464D018EF01CEA7CEE7303	2B21F85669E9EE021A0805A1D802760993F86957	63BC2CA795DA615CDFE6A0DCD3D65944632FE0013D452CAFC3016165A762BF2A
C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	PE32 executable (GUI) Intel 80386, for MS Windows	78BA0653A340BAC5FF152B21A83626CC	B12DA9CB5D024555405040E65AD89D16AE749502	05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7
C:\Users\user\AppData\Roaming\zPgFqFUsML\wAYZqHgYEOdcYU.js	ASCII text, with no line terminators	893005367A38C097BD1AC6910453EAEB	964EB1DAC2C6333E71853DE5DDE9017E4500A2EA	E973A295696760D5CFCAAC0C713D0DB9B1D7493F243E62C4C58AEFCA8A0603D6
\Device\ConDrv	ASCII text, with CRLF, CR line terminators	ED81F3E8939C9C235EE1A69A43B4FD52	3348810A5493D6DB80F8B9B836F301C51CE0CA24	B6BDE1A044508592FAEEC125209BAAA4D9DB992F0DE6C0FB49D938D801A389B4

Analysis Report WDnE51mua6.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains